<!doctype html><html lang="en">
 <head>
  <meta content="text/html; charset=utf-8" http-equiv="Content-Type">
  <meta content="width=device-width, initial-scale=1, shrink-to-fit=no" name="viewport">
  <title>Document Policy</title>
<style data-fill-with="stylesheet">/******************************************************************************
 *                   Style sheet for the W3C specifications                   *
 *
 * Special classes handled by this style sheet include:
 *
 * Indices
 *   - .toc for the Table of Contents (<ol class="toc">)
 *     + <span class="secno"> for the section numbers
 *   - #toc for the Table of Contents (<nav id="toc">)
 *   - ul.index for Indices (<a href="#ref">term</a><span>, in §N.M</span>)
 *   - table.index for Index Tables (e.g. for properties or elements)
 *
 * Structural Markup
 *   - table.data for general data tables
 *     -> use 'scope' attribute, <colgroup>, <thead>, and <tbody> for best results !
 *     -> use <table class='complex data'> for extra-complex tables
 *     -> use <td class='long'> for paragraph-length cell content
 *     -> use <td class='pre'> when manual line breaks/indentation would help readability
 *   - dl.switch for switch statements
 *   - ol.algorithm for algorithms (helps to visualize nesting)
 *   - .figure and .caption (HTML4) and figure and figcaption (HTML5)
 *     -> .sidefigure for right-floated figures
 *   - ins/del
 *
 * Code
 *   - pre and code
 *
 * Special Sections
 *   - .note       for informative notes             (div, p, span, aside, details)
 *   - .example    for informative examples          (div, p, pre, span)
 *   - .issue      for issues                        (div, p, span)
 *   - .assertion  for assertions                    (div, p, span)
 *   - .advisement for loud normative statements     (div, p, strong)
 *   - .annoying-warning for spec obsoletion notices (div, aside, details)
 *
 * Definition Boxes
 *   - pre.def   for WebIDL definitions
 *   - table.def for tables that define other entities (e.g. CSS properties)
 *   - dl.def    for definition lists that define other entitles (e.g. HTML elements)
 *
 * Numbering
 *   - .secno for section numbers in .toc and headings (<span class='secno'>3.2</span>)
 *   - .marker for source-inserted example/figure/issue numbers (<span class='marker'>Issue 4</span>)
 *   - ::before styled for CSS-generated issue/example/figure numbers:
 *     -> Documents wishing to use this only need to add
 *        figcaption::before,
 *        .caption::before { content: "Figure "  counter(figure) " ";  }
 *        .example::before { content: "Example " counter(example) " "; }
 *        .issue::before   { content: "Issue "   counter(issue) " ";   }
 *
 * Header Stuff (ignore, just don't conflict with these classes)
 *   - .head for the header
 *   - .copyright for the copyright
 *
 * Miscellaneous
 *   - .overlarge for things that should be as wide as possible, even if
 *     that overflows the body text area. This can be used on an item or
 *     on its container, depending on the effect desired.
 *     Note that this styling basically doesn't help at all when printing,
 *     since A4 paper isn't much wider than the max-width here.
 *     It's better to design things to fit into a narrower measure if possible.
 *   - js-added ToC jump links (see fixup.js)
 *
 ******************************************************************************/

/******************************************************************************/
/*                                   Body                                     */
/******************************************************************************/

	body {
		counter-reset: example figure issue;

		/* Layout */
		max-width: 50em;               /* limit line length to 50em for readability   */
		margin: 0 auto;                /* center text within page                     */
		padding: 1.6em 1.5em 2em 50px; /* assume 16px font size for downlevel clients */
		padding: 1.6em 1.5em 2em calc(26px + 1.5em); /* leave space for status flag     */

		/* Typography */
		line-height: 1.5;
		font-family: sans-serif;
		widows: 2;
		orphans: 2;
		word-wrap: break-word;
		overflow-wrap: break-word;
		hyphens: auto;

		/* Colors */
		color: black;
		background: white top left fixed no-repeat;
		background-size: 25px auto;
	}


/******************************************************************************/
/*                         Front Matter & Navigation                          */
/******************************************************************************/

/** Header ********************************************************************/

	div.head { margin-bottom: 1em }
	div.head hr { border-style: solid; }

	div.head h1 {
		font-weight: bold;
		margin: 0 0 .1em;
		font-size: 220%;
	}

	div.head h2 { margin-bottom: 1.5em;}

/** W3C Logo ******************************************************************/

	.head .logo {
		float: right;
		margin: 0.4rem 0 0.2rem .4rem;
	}

	.head img[src*="logos/W3C"] {
		display: block;
		border: solid #1a5e9a;
		border-width: .65rem .7rem .6rem;
		border-radius: .4rem;
		background: #1a5e9a;
		color: white;
		font-weight: bold;
	}

	.head a:hover > img[src*="logos/W3C"],
	.head a:focus > img[src*="logos/W3C"] {
		opacity: .8;
	}

	.head a:active > img[src*="logos/W3C"] {
		background: #c00;
		border-color: #c00;
	}

	/* see also additional rules in Link Styling section */

/** Copyright *****************************************************************/

	p.copyright,
	p.copyright small { font-size: small }

/** Back to Top / ToC Toggle **************************************************/

	@media print {
		#toc-nav {
			display: none;
		}
	}
	@media not print {
		#toc-nav {
			position: fixed;
			z-index: 2;
			bottom: 0; left: 0;
			margin: 0;
			min-width: 1.33em;
			border-top-right-radius: 2rem;
			box-shadow: 0 0 2px;
			font-size: 1.5em;
			color: black;
		}
		#toc-nav > a {
			display: block;
			white-space: nowrap;

			height: 1.33em;
			padding: .1em 0.3em;
			margin: 0;

			background: white;
			box-shadow: 0 0 2px;
			border: none;
			border-top-right-radius: 1.33em;
			background: white;
		}
		#toc-nav > #toc-jump {
			padding-bottom: 2em;
			margin-bottom: -1.9em;
		}

		#toc-nav > a:hover,
		#toc-nav > a:focus {
			background: #f8f8f8;
		}
		#toc-nav > a:not(:hover):not(:focus) {
			color: #707070;
		}

		/* statusbar gets in the way on keyboard focus; remove once browsers fix */
		#toc-nav > a[href="#toc"]:not(:hover):focus:last-child {
			padding-bottom: 1.5rem;
		}

		#toc-nav:not(:hover) > a:not(:focus) > span + span {
			/* Ideally this uses :focus-within on #toc-nav */
			display: none;
		}
		#toc-nav > a > span + span {
			padding-right: 0.2em;
		}

		#toc-toggle-inline {
			vertical-align: 0.05em;
			font-size: 80%;
			color: gray;
			color: hsla(203,20%,40%,.7);
			border-style: none;
			background: transparent;
			position: relative;
		}
		#toc-toggle-inline:hover:not(:active),
		#toc-toggle-inline:focus:not(:active) {
			text-shadow: 1px 1px silver;
			top: -1px;
			left: -1px;
		}

		#toc-nav :active {
			color: #C00;
		}
	}

/** ToC Sidebar ***************************************************************/

	/* Floating sidebar */
	@media screen {
		body.toc-sidebar #toc {
			position: fixed;
			top: 0; bottom: 0;
			left: 0;
			width: 23.5em;
			max-width: 80%;
			max-width: calc(100% - 2em - 26px);
			overflow: auto;
			padding: 0 1em;
			padding-left: 42px;
			padding-left: calc(1em + 26px);
			background: inherit;
			background-color: #f7f8f9;
			z-index: 1;
			box-shadow: -.1em 0 .25em rgba(0,0,0,.1) inset;
		}
		body.toc-sidebar #toc h2 {
			margin-top: .8rem;
			font-variant: small-caps;
			font-variant: all-small-caps;
			text-transform: lowercase;
			font-weight: bold;
			color: gray;
			color: hsla(203,20%,40%,.7);
		}
		body.toc-sidebar #toc-jump:not(:focus) {
			width: 0;
			height: 0;
			padding: 0;
			position: absolute;
			overflow: hidden;
		}
	}
	/* Hide main scroller when only the ToC is visible anyway */
	@media screen and (max-width: 28em) {
		body.toc-sidebar {
			overflow: hidden;
		}
	}

	/* Sidebar with its own space */
	@media screen and (min-width: 78em) {
		body:not(.toc-inline) #toc {
			position: fixed;
			top: 0; bottom: 0;
			left: 0;
			width: 23.5em;
			overflow: auto;
			padding: 0 1em;
			padding-left: 42px;
			padding-left: calc(1em + 26px);
			background: inherit;
			background-color: #f7f8f9;
			z-index: 1;
			box-shadow: -.1em 0 .25em rgba(0,0,0,.1) inset;
		}
		body:not(.toc-inline) #toc h2 {
			margin-top: .8rem;
			font-variant: small-caps;
			font-variant: all-small-caps;
			text-transform: lowercase;
			font-weight: bold;
			color: gray;
			color: hsla(203,20%,40%,.7);
		}

		body:not(.toc-inline) {
			padding-left: 29em;
		}
		/* See also Overflow section at the bottom */

		body:not(.toc-inline) #toc-jump:not(:focus) {
			width: 0;
			height: 0;
			padding: 0;
			position: absolute;
			overflow: hidden;
		}
	}
	@media screen and (min-width: 90em) {
		body:not(.toc-inline) {
			margin: 0 4em;
		}
	}

/******************************************************************************/
/*                                Sectioning                                  */
/******************************************************************************/

/** Headings ******************************************************************/

	h1, h2, h3, h4, h5, h6, dt {
		page-break-after: avoid;
		page-break-inside: avoid;
		font: 100% sans-serif;   /* Reset all font styling to clear out UA styles */
		font-family: inherit;    /* Inherit the font family. */
		line-height: 1.2;        /* Keep wrapped headings compact */
		hyphens: manual;         /* Hyphenated headings look weird */
	}

	h2, h3, h4, h5, h6 {
		margin-top: 3rem;
	}

	h1, h2, h3 {
		color: #005A9C;
		background: transparent;
	}

	h1 { font-size: 170%; }
	h2 { font-size: 140%; }
	h3 { font-size: 120%; }
	h4 { font-weight: bold; }
	h5 { font-style: italic; }
	h6 { font-variant: small-caps; }
	dt { font-weight: bold; }

/** Subheadings ***************************************************************/

	h1 + h2,
	#subtitle {
		/* #subtitle is a subtitle in an H2 under the H1 */
		margin-top: 0;
	}
	h2 + h3,
	h3 + h4,
	h4 + h5,
	h5 + h6 {
		margin-top: 1.2em; /* = 1 x line-height */
	}

/** Section divider ***********************************************************/

	:not(.head) > hr {
		font-size: 1.5em;
		text-align: center;
		margin: 1em auto;
		height: auto;
		border: transparent solid 0;
		background: transparent;
	}
	:not(.head) > hr::before {
		content: "\2727\2003\2003\2727\2003\2003\2727";
	}

/******************************************************************************/
/*                            Paragraphs and Lists                            */
/******************************************************************************/

	p {
		margin: 1em 0;
	}

	dd > p:first-child,
	li > p:first-child {
		margin-top: 0;
	}

	ul, ol {
		margin-left: 0;
		padding-left: 2em;
	}

	li {
		margin: 0.25em 0 0.5em;
		padding: 0;
	}

	dl dd {
		margin: 0 0 .5em 2em;
	}

	.head dd + dd { /* compact for header */
		margin-top: -.5em;
	}

	/* Style for algorithms */
	ol.algorithm ol:not(.algorithm),
	.algorithm > ol ol:not(.algorithm) {
	 border-left: 0.5em solid #DEF;
	}

	/* Put nice boxes around each algorithm. */
	[data-algorithm]:not(.heading) {
	  padding: .5em;
	  border: thin solid #ddd; border-radius: .5em;
	  margin: .5em calc(-0.5em - 1px);
	}
	[data-algorithm]:not(.heading) > :first-child {
	  margin-top: 0;
	}
	[data-algorithm]:not(.heading) > :last-child {
	  margin-bottom: 0;
	}

	/* Style for switch/case <dl>s */
	dl.switch > dd > ol.only,
	dl.switch > dd > .only > ol {
	 margin-left: 0;
	}
	dl.switch > dd > ol.algorithm,
	dl.switch > dd > .algorithm > ol {
	 margin-left: -2em;
	}
	dl.switch {
	 padding-left: 2em;
	}
	dl.switch > dt {
	 text-indent: -1.5em;
	 margin-top: 1em;
	}
	dl.switch > dt + dt {
	 margin-top: 0;
	}
	dl.switch > dt::before {
	 content: '\21AA';
	 padding: 0 0.5em 0 0;
	 display: inline-block;
	 width: 1em;
	 text-align: right;
	 line-height: 0.5em;
	}

/** Terminology Markup ********************************************************/


/******************************************************************************/
/*                                 Inline Markup                              */
/******************************************************************************/

/** Terminology Markup ********************************************************/
	dfn   { /* Defining instance */
		font-weight: bolder;
	}
	a > i { /* Instance of term */
		font-style: normal;
	}
	dt dfn code, code.idl {
		font-size: medium;
	}
	dfn var {
		font-style: normal;
	}

/** Change Marking ************************************************************/

	del { color: red;  text-decoration: line-through; }
	ins { color: #080; text-decoration: underline;    }

/** Miscellaneous improvements to inline formatting ***************************/

	sup {
		vertical-align: super;
		font-size: 80%
	}

/******************************************************************************/
/*                                    Code                                    */
/******************************************************************************/

/** General monospace/pre rules ***********************************************/

	pre, code, samp {
		font-family: Menlo, Consolas, "DejaVu Sans Mono", Monaco, monospace;
		font-size: .9em;
		page-break-inside: avoid;
		hyphens: none;
		text-transform: none;
	}
	pre code,
	code code {
		font-size: 100%;
	}

	pre {
		margin-top: 1em;
		margin-bottom: 1em;
		overflow: auto;
	}

/** Inline Code fragments *****************************************************/

  /* Do something nice. */

/******************************************************************************/
/*                                    Links                                   */
/******************************************************************************/

/** General Hyperlinks ********************************************************/

	/* We hyperlink a lot, so make it less intrusive */
	a[href] {
		color: #034575;
		text-decoration: none;
		border-bottom: 1px solid #707070;
		/* Need a bit of extending for it to look okay */
		padding: 0 1px 0;
		margin: 0 -1px 0;
	}
	a:visited {
		border-bottom-color: #BBB;
	}

	/* Use distinguishing colors when user is interacting with the link */
	a[href]:focus,
	a[href]:hover {
		background: #f8f8f8;
		background: rgba(75%, 75%, 75%, .25);
		border-bottom-width: 3px;
		margin-bottom: -2px;
	}
	a[href]:active {
		color: #C00;
		border-color: #C00;
	}

	/* Backout above styling for W3C logo */
	.head .logo,
	.head .logo a {
		border: none;
		text-decoration: none;
		background: transparent;
	}

/******************************************************************************/
/*                                    Images                                  */
/******************************************************************************/

	img {
		border-style: none;
	}

	/* For autogen numbers, add
	   .caption::before, figcaption::before { content: "Figure " counter(figure) ". "; }
	*/

	figure, .figure, .sidefigure {
		page-break-inside: avoid;
		text-align: center;
		margin: 2.5em 0;
	}
	.figure img,    .sidefigure img,    figure img,
	.figure object, .sidefigure object, figure object {
		max-width: 100%;
		margin: auto;
	}
	.figure pre, .sidefigure pre, figure pre {
		text-align: left;
		display: table;
		margin: 1em auto;
	}
	.figure table, figure table {
		margin: auto;
	}
	@media screen and (min-width: 20em) {
		.sidefigure {
			float: right;
			width: 50%;
			margin: 0 0 0.5em 0.5em
		}
	}
	.caption, figcaption, caption {
		font-style: italic;
		font-size: 90%;
	}
	.caption::before, figcaption::before, figcaption > .marker {
		font-weight: bold;
	}
	.caption, figcaption {
		counter-increment: figure;
	}

	/* DL list is indented 2em, but figure inside it is not */
	dd > .figure, dd > figure { margin-left: -2em }

/******************************************************************************/
/*                             Colored Boxes                                  */
/******************************************************************************/

	.issue, .note, .example, .assertion, .advisement, blockquote {
		padding: .5em;
		border: .5em;
		border-left-style: solid;
		page-break-inside: avoid;
	}
	span.issue, span.note {
		padding: .1em .5em .15em;
		border-right-style: solid;
	}

	.issue,
	.note,
	.example,
	.advisement,
	.assertion,
	blockquote {
		margin: 1em auto;
	}
	.note  > p:first-child,
	.issue > p:first-child,
	blockquote > :first-child {
		margin-top: 0;
	}
	blockquote > :last-child {
		margin-bottom: 0;
	}

/** Blockquotes ***************************************************************/

	blockquote {
		border-color: silver;
	}

/** Open issue ****************************************************************/

	.issue {
		border-color: #E05252;
		background: #FBE9E9;
		counter-increment: issue;
		overflow: auto;
	}
	.issue::before, .issue > .marker {
		text-transform: uppercase;
		color: #AE1E1E;
		padding-right: 1em;
		text-transform: uppercase;
	}
	/* Add .issue::before { content: "Issue " counter(issue) " "; } for autogen numbers,
	   or use class="marker" to mark up the issue number in source. */

/** Example *******************************************************************/

	.example {
		border-color: #E0CB52;
		background: #FCFAEE;
		counter-increment: example;
		overflow: auto;
		clear: both;
	}
	.example::before, .example > .marker {
		text-transform: uppercase;
		color: #827017;
		min-width: 7.5em;
		display: block;
	}
	/* Add .example::before { content: "Example " counter(example) " "; } for autogen numbers,
	   or use class="marker" to mark up the example number in source. */

/** Non-normative Note ********************************************************/

	.note {
		border-color: #52E052;
		background: #E9FBE9;
		overflow: auto;
	}

	.note::before, .note > .marker,
	details.note > summary::before,
	details.note > summary > .marker {
		text-transform: uppercase;
		display: block;
		color: hsl(120, 70%, 30%);
	}
	/* Add .note::before { content: "Note"; } for autogen label,
	   or use class="marker" to mark up the label in source. */

	details.note > summary {
		display: block;
		color: hsl(120, 70%, 30%);
	}
	details.note[open] > summary {
		border-bottom: 1px silver solid;
	}

/** Assertion Box *************************************************************/
	/*  for assertions in algorithms */

	.assertion {
		border-color: #AAA;
		background: #EEE;
	}

/** Advisement Box ************************************************************/
	/*  for attention-grabbing normative statements */

	.advisement {
		border-color: orange;
		border-style: none solid;
		background: #FFEECC;
	}
	strong.advisement {
		display: block;
		text-align: center;
	}
	.advisement > .marker {
		color: #B35F00;
	}

/** Spec Obsoletion Notice ****************************************************/
	/* obnoxious obsoletion notice for older/abandoned specs. */

	details {
		display: block;
	}
	summary {
		font-weight: bolder;
	}

	.annoying-warning:not(details),
	details.annoying-warning:not([open]) > summary,
	details.annoying-warning[open] {
		background: #fdd;
		color: red;
		font-weight: bold;
		padding: .75em 1em;
		border: thick red;
		border-style: solid;
		border-radius: 1em;
	}
	.annoying-warning :last-child {
		margin-bottom: 0;
	}

@media not print {
	details.annoying-warning[open] {
		position: fixed;
		left: 1em;
		right: 1em;
		bottom: 1em;
		z-index: 1000;
	}
}

	details.annoying-warning:not([open]) > summary {
		text-align: center;
	}

/** Entity Definition Boxes ***************************************************/

	.def {
		padding: .5em 1em;
		background: #DEF;
		margin: 1.2em 0;
		border-left: 0.5em solid #8CCBF2;
	}

/******************************************************************************/
/*                                    Tables                                  */
/******************************************************************************/

	th, td {
		text-align: left;
		text-align: start;
	}

/** Property/Descriptor Definition Tables *************************************/

	table.def {
		/* inherits .def box styling, see above */
		width: 100%;
		border-spacing: 0;
	}

	table.def td,
	table.def th {
		padding: 0.5em;
		vertical-align: baseline;
		border-bottom: 1px solid #bbd7e9;
	}

	table.def > tbody > tr:last-child th,
	table.def > tbody > tr:last-child td {
		border-bottom: 0;
	}

	table.def th {
		font-style: italic;
		font-weight: normal;
		padding-left: 1em;
		width: 3em;
	}

	/* For when values are extra-complex and need formatting for readability */
	table td.pre {
		white-space: pre-wrap;
	}

	/* A footnote at the bottom of a def table */
	table.def           td.footnote {
		padding-top: 0.6em;
	}
	table.def           td.footnote::before {
		content: " ";
		display: block;
		height: 0.6em;
		width: 4em;
		border-top: thin solid;
	}

/** Data tables (and properly marked-up index tables) *************************/
	/*
		 <table class="data"> highlights structural relationships in a table
		 when correct markup is used (e.g. thead/tbody, th vs. td, scope attribute)

		 Use class="complex data" for particularly complicated tables --
		 (This will draw more lines: busier, but clearer.)

		 Use class="long" on table cells with paragraph-like contents
		 (This will adjust text alignment accordingly.)
		 Alternately use class="longlastcol" on tables, to have the last column assume "long".
	*/

	table {
		word-wrap: normal;
		overflow-wrap: normal;
		hyphens: manual;
	}

	table.data,
	table.index {
		margin: 1em auto;
		border-collapse: collapse;
		border: hidden;
		width: 100%;
	}
	table.data caption,
	table.index caption {
		max-width: 50em;
		margin: 0 auto 1em;
	}

	table.data td,  table.data th,
	table.index td, table.index th {
		padding: 0.5em 1em;
		border-width: 1px;
		border-color: silver;
		border-top-style: solid;
	}

	table.data thead td:empty {
		padding: 0;
		border: 0;
	}

	table.data  thead,
	table.index thead,
	table.data  tbody,
	table.index tbody {
		border-bottom: 2px solid;
	}

	table.data colgroup,
	table.index colgroup {
		border-left: 2px solid;
	}

	table.data  tbody th:first-child,
	table.index tbody th:first-child  {
		border-right: 2px solid;
		border-top: 1px solid silver;
		padding-right: 1em;
	}

	table.data th[colspan],
	table.data td[colspan] {
		text-align: center;
	}

	table.complex.data th,
	table.complex.data td {
		border: 1px solid silver;
		text-align: center;
	}

	table.data.longlastcol td:last-child,
	table.data td.long {
	 vertical-align: baseline;
	 text-align: left;
	}

	table.data img {
		vertical-align: middle;
	}


/*
Alternate table alignment rules

	table.data,
	table.index {
		text-align: center;
	}

	table.data  thead th[scope="row"],
	table.index thead th[scope="row"] {
		text-align: right;
	}

	table.data  tbody th:first-child,
	table.index tbody th:first-child  {
		text-align: right;
	}

Possible extra rowspan handling

	table.data  tbody th[rowspan]:not([rowspan='1']),
	table.index tbody th[rowspan]:not([rowspan='1']),
	table.data  tbody td[rowspan]:not([rowspan='1']),
	table.index tbody td[rowspan]:not([rowspan='1']) {
		border-left: 1px solid silver;
	}

	table.data  tbody th[rowspan]:first-child,
	table.index tbody th[rowspan]:first-child,
	table.data  tbody td[rowspan]:first-child,
	table.index tbody td[rowspan]:first-child{
		border-left: 0;
		border-right: 1px solid silver;
	}
*/

/******************************************************************************/
/*                                  Indices                                   */
/******************************************************************************/


/** Table of Contents *********************************************************/

	.toc a {
		/* More spacing; use padding to make it part of the click target. */
		padding-top: 0.1rem;
		/* Larger, more consistently-sized click target */
		display: block;
		/* Reverse color scheme */
		color: black;
		border-color: #3980B5;
		border-bottom-width: 3px !important;
		margin-bottom: 0px !important;
	}
	.toc a:visited {
		border-color: #054572;
	}
	.toc a:not(:focus):not(:hover) {
		/* Allow colors to cascade through from link styling */
		border-bottom-color: transparent;
	}

	.toc, .toc ol, .toc ul, .toc li {
		list-style: none; /* Numbers must be inlined into source */
		/* because generated content isn't search/selectable and markers can't do multilevel yet */
		margin:  0;
		padding: 0;
		line-height: 1.1rem; /* consistent spacing */
	}

	/* ToC not indented until third level, but font style & margins show hierarchy */
	.toc > li             { font-weight: bold;   }
	.toc > li li          { font-weight: normal; }
	.toc > li li li       { font-size:   95%;    }
	.toc > li li li li    { font-size:   90%;    }
	.toc > li li li li .secno { font-size: 85%; }
	.toc > li li li li li { font-size:   85%;    }
	.toc > li li li li li .secno { font-size: 100%; }

	/* @supports not (display:grid) { */
		.toc > li             { margin: 1.5rem 0;    }
		.toc > li li          { margin: 0.3rem 0;    }
		.toc > li li li       { margin-left: 2rem;   }

		/* Section numbers in a column of their own */
		.toc .secno {
			float: left;
			width: 4rem;
			white-space: nowrap;
		}

		.toc li {
			clear: both;
		}

		:not(li) > .toc              { margin-left:  5rem; }
		.toc .secno                  { margin-left: -5rem; }
		.toc > li li li .secno       { margin-left: -7rem; }
		.toc > li li li li .secno    { margin-left: -9rem; }
		.toc > li li li li li .secno { margin-left: -11rem; }

		/* Tighten up indentation in narrow ToCs */
		@media (max-width: 30em) {
			:not(li) > .toc              { margin-left:  4rem; }
			.toc .secno                  { margin-left: -4rem; }
			.toc > li li li              { margin-left:  1rem; }
			.toc > li li li .secno       { margin-left: -5rem; }
			.toc > li li li li .secno    { margin-left: -6rem; }
			.toc > li li li li li .secno { margin-left: -7rem; }
		}
	/* } */

	@supports (display:grid) and (display:contents) {
		/* Use #toc over .toc to override non-@supports rules. */
		#toc {
			display: grid;
			align-content: start;
			grid-template-columns: auto 1fr;
			grid-column-gap: 1rem;
			column-gap: 1rem;
			grid-row-gap: .6rem;
			row-gap: .6rem;
		}
		#toc h2 {
			grid-column: 1 / -1;
			margin-bottom: 0;
		}
		#toc ol,
		#toc li,
		#toc a {
			display: contents;
			/* Switch <a> to subgrid when supported */
		}
		#toc span {
			margin: 0;
		}
		#toc > .toc > li > a > span {
			/* The spans of the top-level list,
			   comprising the first items of each top-level section. */
			margin-top: 1.1rem;
		}
		#toc#toc .secno { /* Ugh, need more specificity to override base.css */
			grid-column: 1;
			width: auto;
			margin-left: 0;
		}
		#toc .content {
			grid-column: 2;
			width: auto;
			margin-right: 1rem;
		}
		#toc .content:hover {
			background: rgba(75%, 75%, 75%, .25);
			border-bottom: 3px solid #054572;
			margin-bottom: -3px;
		}
		#toc li li li .content {
			margin-left: 1rem;
		}
		#toc li li li li .content {
			margin-left: 2rem;
		}
	}


/** Index *********************************************************************/

	/* Index Lists: Layout */
	ul.index       { margin-left: 0; columns: 15em; text-indent: 1em hanging; }
	ul.index li    { margin-left: 0; list-style: none; break-inside: avoid; }
	ul.index li li { margin-left: 1em }
	ul.index dl    { margin-top: 0; }
	ul.index dt    { margin: .2em 0 .2em 20px;}
	ul.index dd    { margin: .2em 0 .2em 40px;}
	/* Index Lists: Typography */
	ul.index ul,
	ul.index dl { font-size: smaller; }
	@media not print {
		ul.index li span {
			white-space: nowrap;
			color: transparent; }
		ul.index li a:hover + span,
		ul.index li a:focus + span {
			color: #707070;
		}
	}

/** Index Tables *****************************************************/
	/* See also the data table styling section, which this effectively subclasses */

	table.index {
		font-size: small;
		border-collapse: collapse;
		border-spacing: 0;
		text-align: left;
		margin: 1em 0;
	}

	table.index td,
	table.index th {
		padding: 0.4em;
	}

	table.index tr:hover td:not([rowspan]),
	table.index tr:hover th:not([rowspan]) {
		background: #f7f8f9;
	}

	/* The link in the first column in the property table (formerly a TD) */
	table.index th:first-child a {
		font-weight: bold;
	}

/******************************************************************************/
/*                                    Print                                   */
/******************************************************************************/

	@media print {
		/* Pages have their own margins. */
		html {
			margin: 0;
		}
		/* Serif for print. */
		body {
			font-family: serif;
		}
	}
	@page {
		margin: 1.5cm 1.1cm;
	}

/******************************************************************************/
/*                                    Legacy                                  */
/******************************************************************************/

	/* This rule is inherited from past style sheets. No idea what it's for. */
	.hide { display: none }



/******************************************************************************/
/*                             Overflow Control                               */
/******************************************************************************/

	.figure .caption, .sidefigure .caption, figcaption {
		/* in case figure is overlarge, limit caption to 50em */
		max-width: 50rem;
		margin-left: auto;
		margin-right: auto;
	}
	.overlarge {
		/* Magic to create good table positioning:
		   "content column" is 50ems wide at max; less on smaller screens.
		   Extra space (after ToC + content) is empty on the right.

		   1. When table < content column, centers table in column.
		   2. When content < table < available, left-aligns.
		   3. When table > available, fills available + scroll bar.
		*/ 
		display: grid;
		grid-template-columns: minmax(0, 50em);
	}
	.overlarge > table {
		/* limit preferred width of table */
		max-width: 50em;
		margin-left: auto;
		margin-right: auto;
	}

	@media (min-width: 55em) {
		.overlarge {
			margin-right: calc(13px + 26.5rem - 50vw);
			max-width: none;
		}
	}
	@media screen and (min-width: 78em) {
		body:not(.toc-inline) .overlarge {
			/* 30.5em body padding 50em content area */
			margin-right: calc(40em - 50vw) !important;
		}
	}
	@media screen and (min-width: 90em) {
		body:not(.toc-inline) .overlarge {
			/* 4em html margin 30.5em body padding 50em content area */
			margin-right: calc(84.5em - 100vw) !important;
		}
	}

	@media not print {
		.overlarge {
			overflow-x: auto;
			/* See Lea Verou's explanation background-attachment:
			 * http://lea.verou.me/2012/04/background-attachment-local/
			 *
			background: top left  / 4em 100% linear-gradient(to right,  #ffffff, rgba(255, 255, 255, 0)) local,
			            top right / 4em 100% linear-gradient(to left, #ffffff, rgba(255, 255, 255, 0)) local,
			            top left  / 1em 100% linear-gradient(to right,  #c3c3c5, rgba(195, 195, 197, 0)) scroll,
			            top right / 1em 100% linear-gradient(to left, #c3c3c5, rgba(195, 195, 197, 0)) scroll,
			            white;
			background-repeat: no-repeat;
			*/
		}
	}
</style>
  <link href="https://w3c.github.io/webappsec-feature-policy/document-policy.html" rel="canonical">
<style>/* style-md-lists */

/* This is a weird hack for me not yet following the commonmark spec
   regarding paragraph and lists. */
[data-md] > :first-child {
    margin-top: 0;
}
[data-md] > :last-child {
    margin-bottom: 0;
}</style>
<style>/* style-counters */

body {
    counter-reset: example figure issue;
}
.issue {
    counter-increment: issue;
}
.issue:not(.no-marker)::before {
    content: "Issue " counter(issue);
}

.example {
    counter-increment: example;
}
.example:not(.no-marker)::before {
    content: "Example " counter(example);
}
.invalid.example:not(.no-marker)::before,
.illegal.example:not(.no-marker)::before {
    content: "Invalid Example" counter(example);
}

figcaption {
    counter-increment: figure;
}
figcaption:not(.no-marker)::before {
    content: "Figure " counter(figure) " ";
}</style>
<style>/* style-dfn-panel */

.dfn-panel {
    position: absolute;
    z-index: 35;
    height: auto;
    width: -webkit-fit-content;
    width: fit-content;
    max-width: 300px;
    max-height: 500px;
    overflow: auto;
    padding: 0.5em 0.75em;
    font: small Helvetica Neue, sans-serif, Droid Sans Fallback;
    background: #DDDDDD;
    color: black;
    border: outset 0.2em;
}
.dfn-panel:not(.on) { display: none; }
.dfn-panel * { margin: 0; padding: 0; text-indent: 0; }
.dfn-panel > b { display: block; }
.dfn-panel a { color: black; }
.dfn-panel a:not(:hover) { text-decoration: none !important; border-bottom: none !important; }
.dfn-panel > b + b { margin-top: 0.25em; }
.dfn-panel ul { padding: 0; }
.dfn-panel li { list-style: inside; }
.dfn-panel.activated {
    display: inline-block;
    position: fixed;
    left: .5em;
    bottom: 2em;
    margin: 0 auto;
    max-width: calc(100vw - 1.5em - .4em - .5em);
    max-height: 30vh;
}

.dfn-paneled { cursor: pointer; }
</style>
<style>/* style-selflinks */

.heading, .issue, .note, .example, li, dt {
    position: relative;
}
a.self-link {
    position: absolute;
    top: 0;
    left: calc(-1 * (3.5rem - 26px));
    width: calc(3.5rem - 26px);
    height: 2em;
    text-align: center;
    border: none;
    transition: opacity .2s;
    opacity: .5;
}
a.self-link:hover {
    opacity: 1;
}
.heading > a.self-link {
    font-size: 83%;
}
li > a.self-link {
    left: calc(-1 * (3.5rem - 26px) - 2em);
}
dfn > a.self-link {
    top: auto;
    left: auto;
    opacity: 0;
    width: 1.5em;
    height: 1.5em;
    background: gray;
    color: white;
    font-style: normal;
    transition: opacity .2s, background-color .2s, color .2s;
}
dfn:hover > a.self-link {
    opacity: 1;
}
dfn > a.self-link:hover {
    color: black;
}

a.self-link::before            { content: "¶"; }
.heading > a.self-link::before { content: "§"; }
dfn > a.self-link::before      { content: "#"; }</style>
<style>/* style-autolinks */

.css.css, .property.property, .descriptor.descriptor {
    color: #005a9c;
    font-size: inherit;
    font-family: inherit;
}
.css::before, .property::before, .descriptor::before {
    content: "‘";
}
.css::after, .property::after, .descriptor::after {
    content: "’";
}
.property, .descriptor {
    /* Don't wrap property and descriptor names */
    white-space: nowrap;
}
.type { /* CSS value <type> */
    font-style: italic;
}
pre .property::before, pre .property::after {
    content: "";
}
[data-link-type="property"]::before,
[data-link-type="propdesc"]::before,
[data-link-type="descriptor"]::before,
[data-link-type="value"]::before,
[data-link-type="function"]::before,
[data-link-type="at-rule"]::before,
[data-link-type="selector"]::before,
[data-link-type="maybe"]::before {
    content: "‘";
}
[data-link-type="property"]::after,
[data-link-type="propdesc"]::after,
[data-link-type="descriptor"]::after,
[data-link-type="value"]::after,
[data-link-type="function"]::after,
[data-link-type="at-rule"]::after,
[data-link-type="selector"]::after,
[data-link-type="maybe"]::after {
    content: "’";
}

[data-link-type].production::before,
[data-link-type].production::after,
.prod [data-link-type]::before,
.prod [data-link-type]::after {
    content: "";
}

[data-link-type=element],
[data-link-type=element-attr] {
    font-family: Menlo, Consolas, "DejaVu Sans Mono", monospace;
    font-size: .9em;
}
[data-link-type=element]::before { content: "<" }
[data-link-type=element]::after  { content: ">" }

[data-link-type=biblio] {
    white-space: pre;
}</style>
 <body class="h-entry">
  <div class="head">
   <p data-fill-with="logo"><a class="logo" href="https://www.w3.org/"> <img alt="W3C" height="48" src="https://www.w3.org/StyleSheets/TR/2016/logos/W3C" width="72"> </a> </p>
   <h1 class="p-name no-ref" id="title">Document Policy</h1>
   <h2 class="no-num no-toc no-ref heading settled" id="subtitle"><span class="content">Editor’s Draft, <time class="dt-updated" datetime="1970-01-01">1 January 1970</time></span></h2>
   <div data-fill-with="spec-metadata">
    <dl>
     <dt>This version:
     <dd><a class="u-url" href="https://w3c.github.io/webappsec-feature-policy/document-policy.html">https://w3c.github.io/webappsec-feature-policy/document-policy.html</a>
     <dt>Feedback:
     <dd><span><a href="mailto:public-webappsec@w3.org?subject=%5Bdocument-policy%5D%20YOUR%20TOPIC%20HERE">public-webappsec@w3.org</a> with subject line “<kbd>[document-policy] <i data-lt>… message topic …</i></kbd>” (<a href="https://lists.w3.org/Archives/Public/public-webappsec/" rel="discussion">archives</a>)</span>
     <dt class="editor">Editor:
     <dd class="editor p-author h-card vcard"><a class="p-name fn u-email email" href="mailto:iclelland@google.com">Ian Clelland</a> (<span class="p-org org">Google</span>)
    </dl>
   </div>
   <div data-fill-with="warning"></div>
   <p class="copyright" data-fill-with="copyright"><a href="https://www.w3.org/Consortium/Legal/ipr-notice#Copyright">Copyright</a> © 1970 <a href="https://www.w3.org/"><abbr title="World Wide Web Consortium">W3C</abbr></a><sup>®</sup> (<a href="https://www.csail.mit.edu/"><abbr title="Massachusetts Institute of Technology">MIT</abbr></a>, <a href="https://www.ercim.eu/"><abbr title="European Research Consortium for Informatics and Mathematics">ERCIM</abbr></a>, <a href="https://www.keio.ac.jp/">Keio</a>, <a href="https://ev.buaa.edu.cn/">Beihang</a>). W3C <a href="https://www.w3.org/Consortium/Legal/ipr-notice#Legal_Disclaimer">liability</a>, <a href="https://www.w3.org/Consortium/Legal/ipr-notice#W3C_Trademarks">trademark</a> and <a href="https://www.w3.org/Consortium/Legal/copyright-documents">document use</a> rules apply. </p>
   <hr title="Separator for header">
  </div>
  <div class="p-summary" data-fill-with="abstract">
   <h2 class="no-num no-toc no-ref heading settled" id="abstract"><span class="content">Abstract</span></h2>
   <p>This specification defines a mechanism that allows developers to ...</p>
  </div>
  <h2 class="no-num no-toc no-ref heading settled" id="status"><span class="content">Status of this document</span></h2>
  <div data-fill-with="status">
   <p> This is a public copy of the editors’ draft.
	It is provided for discussion only and may change at any moment.
	Its publication here does not imply endorsement of its contents by W3C.
	Don’t cite this document other than as work in progress. </p>
   <p> <strong>Changes to this document may be tracked at <a href="https://github.com/w3c/webappsec">https://github.com/w3c/webappsec</a>.</strong> </p>
   <p> The (<a href="https://lists.w3.org/Archives/Public/public-webappsec/">archived</a>) public mailing list <a href="mailto:public-webappsec@w3.org?Subject=%5Bdocument-policy%5D%20PUT%20SUBJECT%20HERE">public-webappsec@w3.org</a> (see <a href="https://www.w3.org/Mail/Request">instructions</a>)
	is preferred for discussion of this specification.
	When sending e-mail,
	please put the text “document-policy” in the subject,
	preferably like this:
	“[document-policy] <em>…summary of comment…</em>” </p>
   <p> This document was produced by the <a href="https://www.w3.org/2011/webappsec/">Web Application Security Working Group</a>. </p>
   <p> This document was produced by a group operating under
	the <a href="https://www.w3.org/Consortium/Patent-Policy/">W3C Patent Policy</a>.
	W3C maintains a <a href="https://www.w3.org/2004/01/pp-impl/49309/status" rel="disclosure">public list of any patent disclosures</a> made in connection with the deliverables of the group;
	that page also includes instructions for disclosing a patent.
	An individual who has actual knowledge of a patent which the individual believes contains <a href="https://www.w3.org/Consortium/Patent-Policy/#def-essential">Essential Claim(s)</a> must disclose the information in accordance with <a href="https://www.w3.org/Consortium/Patent-Policy/#sec-Disclosure">section 6 of the W3C Patent Policy</a>. </p>
   <p> This document is governed by the <a href="https://www.w3.org/2019/Process-20190301/" id="w3c_process_revision">1 March 2019 W3C Process Document</a>. </p>
   <p></p>
  </div>
  <div data-fill-with="at-risk"></div>
  <nav data-fill-with="table-of-contents" id="toc">
   <h2 class="no-num no-toc no-ref" id="contents">Table of Contents</h2>
   <ol class="toc" role="directory">
    <li><a href="#introduction"><span class="secno">1</span> <span class="content">Introduction</span></a>
    <li><a href="#examples"><span class="secno">2</span> <span class="content">Examples #</span></a>
    <li>
     <a href="#other-and-related-mechanisms"><span class="secno">3</span> <span class="content">Other and related mechanisms</span></a>
     <ol class="toc">
      <li><a href="#relation-to-feature-policy"><span class="secno">3.1</span> <span class="content">Relation to Feature Policy</span></a>
      <li><a href="#relation-to-csp"><span class="secno">3.2</span> <span class="content">Relation to Content Security Policy</span></a>
      <li><a href="#relation-to-sandboxing"><span class="secno">3.3</span> <span class="content">Relation to Sandboxing</span></a>
     </ol>
    <li>
     <a href="#framework"><span class="secno">4</span> <span class="content">Framework</span></a>
     <ol class="toc">
      <li><a href="#features"><span class="secno">4.1</span> <span class="content">Features</span></a>
      <li><a href="#policies"><span class="secno">4.2</span> <span class="content">Policies</span></a>
      <li><a href="#values"><span class="secno">4.3</span> <span class="content">Values</span></a>
      <li><a href="#default-values"><span class="secno">4.4</span> <span class="content">Default Values</span></a>
     </ol>
    <li><a href="#serialization"><span class="secno">5</span> <span class="content">Required Policy Serialization</span></a>
    <li>
     <a href="#delivery"><span class="secno">6</span> <span class="content">Delivery</span></a>
     <ol class="toc">
      <li>
       <a href="#policies-as-structured-headers"><span class="secno">6.1</span> <span class="content">Policies as Structured Headers</span></a>
       <ol class="toc">
        <li><a href="#boolean-valued-features"><span class="secno">6.1.1</span> <span class="content">Boolean-valued features</span></a>
        <li><a href="#integer-valued-features"><span class="secno">6.1.2</span> <span class="content">Integer-valued features</span></a>
        <li><a href="#float-valued-features"><span class="secno">6.1.3</span> <span class="content">Float-valued features</span></a>
        <li><a href="#enum-valued-features"><span class="secno">6.1.4</span> <span class="content">Enum-valued features</span></a>
       </ol>
      <li>
       <a href="#http-headers"><span class="secno">6.2</span> <span class="content">HTTP Headers</span></a>
       <ol class="toc">
        <li><a href="#document-policy-http-header"><span class="secno">6.2.1</span> <span class="content">Document-Policy</span></a>
        <li><a href="#require-document-policy-http-header"><span class="secno">6.2.2</span> <span class="content">Require-Document-Policy</span></a>
        <li><a href="#sec-required-document-policy-http-header"><span class="secno">6.2.3</span> <span class="content">Sec-Required-Document-Policy</span></a>
       </ol>
      <li><a href="#iframe-policy-attribute"><span class="secno">6.3</span> <span class="content">The <code>policy</code> attribute of the <code>iframe</code> element</span></a>
     </ol>
    <li>
     <a href="#integrations"><span class="secno">7</span> <span class="content">Integrations</span></a>
     <ol class="toc">
      <li><a href="#integration-with-html"><span class="secno">7.1</span> <span class="content">Integration with HTML</span></a>
      <li><a href="#integration-with-fetch"><span class="secno">7.2</span> <span class="content">Integration with Fetch</span></a>
     </ol>
    <li>
     <a href="#algorithms"><span class="secno">8</span> <span class="content">Algorithms</span></a>
     <ol class="toc">
      <li><a href="#algo-is-policy-compatible"><span class="secno">8.1</span> <span class="content"><span>Is policy compatible</span>?</span></a>
      <li><a href="#algo-process-response-policy"><span class="secno">8.2</span> <span class="content"><span>Process response policy</span></span></a>
      <li><a href="#algo-parse-required-policy"><span class="secno">8.3</span> <span class="content"><span>Parse document policy</span></span></a>
      <li><a href="#algo-serialize-required-policy"><span class="secno">8.4</span> <span class="content"><span>Serialize required policy</span></span></a>
      <li><a href="#algo-create-for-browsingcontext"><span class="secno">8.5</span> <span class="content"><span>Create a required policy for a browsing context</span></span></a>
      <li><a href="#algo-create-document-policy"><span class="secno">8.6</span> <span class="content"><span>Create a document Policy for a browsing context from response</span></span></a>
      <li><a href="#algo-should-reponse-to-request-be-blocked"><span class="secno">8.7</span> <span class="content"><span>Should <var>response</var> to <var>request</var> be blocked due to document policy</span>?</span></a>
      <li><a href="#algo-get-policy-value"><span class="secno">8.8</span> <span class="content"><span>Get policy value for <var>feature</var> in <var>document</var></span></span></a>
     </ol>
    <li><a href="#iana-considerations"><span class="secno">9</span> <span class="content">IANA Considerations</span></a>
    <li>
     <a href="#privacy-and-security"><span class="secno">10</span> <span class="content">Privacy and Security</span></a>
     <ol class="toc">
      <li><a href="#exposure-of-cross-origin-behavior"><span class="secno">10.1</span> <span class="content">Exposure of cross-origin behavior {#exposure-of-cross-origin-behavior}</span></a>
      <li><a href="#unanticipated-behavior-changes"><span class="secno">10.2</span> <span class="content">Unanticipated behavior changes</span></a>
      <li><a href="#advertisement-of-required-policy"><span class="secno">10.3</span> <span class="content">Advertisement of required policy</span></a>
     </ol>
    <li>
     <a href="#conformance"><span class="secno"></span> <span class="content">Conformance</span></a>
     <ol class="toc">
      <li><a href="#conventions"><span class="secno"></span> <span class="content">Document conventions</span></a>
      <li><a href="#conformant-algorithms"><span class="secno"></span> <span class="content">Conformant Algorithms</span></a>
     </ol>
    <li>
     <a href="#index"><span class="secno"></span> <span class="content">Index</span></a>
     <ol class="toc">
      <li><a href="#index-defined-here"><span class="secno"></span> <span class="content">Terms defined by this specification</span></a>
      <li><a href="#index-defined-elsewhere"><span class="secno"></span> <span class="content">Terms defined by reference</span></a>
     </ol>
    <li>
     <a href="#references"><span class="secno"></span> <span class="content">References</span></a>
     <ol class="toc">
      <li><a href="#normative"><span class="secno"></span> <span class="content">Normative References</span></a>
      <li><a href="#informative"><span class="secno"></span> <span class="content">Informative References</span></a>
     </ol>
   </ol>
  </nav>
  <main>
   <section>
    <h2 class="heading settled" data-level="1" id="introduction"><span class="secno">1. </span><span class="content">Introduction</span><a class="self-link" href="#introduction"></a></h2>
    <p>This document defines <em>Document Policy</em>, which is a framework for
  designing configurable features as part of the web platform, and for allowing
  web developers to configure those features as part of their site deployment.</p>
   </section>
   <section>
    <h2 class="heading settled" data-level="2" id="examples"><span class="secno">2. </span><span class="content">Examples #</span><a class="self-link" href="#examples"></a></h2>
    <p>Needs new examples. For now, see explainer.</p>
   </section>
   <section>
    <h2 class="heading settled" data-level="3" id="other-and-related-mechanisms"><span class="secno">3. </span><span class="content">Other and related mechanisms</span><a class="self-link" href="#other-and-related-mechanisms"></a></h2>
    <p>Document Policy is similar in scope to some existing mechanisms for document
  configuration, though there are significant differences from each.</p>
    <section>
     <h3 class="heading settled" data-level="3.1" id="relation-to-feature-policy"><span class="secno">3.1. </span><span class="content">Relation to Feature Policy</span><a class="self-link" href="#relation-to-feature-policy"></a></h3>
     <p>Feature Policy <a data-link-type="biblio" href="#biblio-feature-policy">[FEATURE-POLICY]</a> is another mechanism which allows authors
    to configure features in documents, and is similar in scope, though it uses
    a different inheritance mechanism, which makes it more suitable for certain
    types of features, separate from those which are suitable for control by
    document policy.</p>
     <p>Historically, document policy was created as a response to a number of
    proposed feature additions to feature policy, which either didn’t quite fit
    the existing 'feature' model, or required significant additional complexity
    to be added to the feature policy spec. This included features with
    parameters, features with optional inheritance into subframes, and features
    which would inherit differently in popups than in other top-level browsing
    contexts.</p>
     <p>Those features are now proposed to be covered by document policy, and
    feature policy is used for features where delegation is the primary concern.
    Feature policy features are boolean-valued (either enabled or disabled), can
    never be re-enabled in a child frame if disabled in parent, and generally
    follow the model of "available in top-level browsing contexts and their
    same-origin children; must be delegated to cross-origin frames."</p>
     <p>In contrast, features controlled by document policy may take parameters, and
    those parameters may have unrelated values in different frames (constraining
    a feature in a parent frame does not necessarily constrain its child
    frames.)</p>
    </section>
    <section>
     <h3 class="heading settled" data-level="3.2" id="relation-to-csp"><span class="secno">3.2. </span><span class="content">Relation to Content Security Policy</span><a class="self-link" href="#relation-to-csp"></a></h3>
     <p>Content-Security-Policy <a data-link-type="biblio" href="#biblio-csp">[CSP]</a> also configures 'features' in documents,
    although it is primarily concerned with the origin of resources in a page,
    rather than controlling what those resources can do once loaded.</p>
     <p>CSP also provides a different mechanism for setting sandbox flags on a
    document, through the <em>sandbox</em> directive. If sandbox flags are moved
    to document policy, then this may be redundant, as the two headers may
    encode identical information.</p>
     <p>CSP-Embedded-Enforcement introduced a model for forcing a policy to be
    adhered to by child documents, and for rejecting non-conforming documents as
    network errors during Fetch. This model is adopted by document policy for
    the required policy mechanism.</p>
    </section>
    <section>
     <h3 class="heading settled" data-level="3.3" id="relation-to-sandboxing"><span class="secno">3.3. </span><span class="content">Relation to Sandboxing</span><a class="self-link" href="#relation-to-sandboxing"></a></h3>
     <p>Iframe sandboxing is another mechanism for controlling features in
    documents, and behaves in a very similar manner to document policy’s
    required policies: disabling a feature is something that can be imposed on
    a frame, and affects all content loaded into that frame.</p>
     <p>The features which are controlled by the iframe sandbox attribute could be
    expressed very naturally with document policy.</p>
     <p>One key difference between iframe sandboxing and document policy is that all
    sandbox features are applied by default when the 'sandbox' attribute is used
    on a frame, and must be re-enabled one-by-one. This makes it very difficult
    to extend the sandboxing model with new features, as any additions will
    immediately affect all existing sandboxed content. Additionally, there is no
    mechanism for the origin server to know that its content will be sandboxed,
    so it is difficult to add new sandbox features which could potentially alter
    control flow in a sandboxed document, as this could introduce new security
    vulnerabilities in existing content.</p>
    </section>
   </section>
   <section>
    <h2 class="heading settled" data-level="4" id="framework"><span class="secno">4. </span><span class="content">Framework</span><a class="self-link" href="#framework"></a></h2>
    <section>
     <h3 class="heading settled" data-level="4.1" id="features"><span class="secno">4.1. </span><span class="content">Features</span><a class="self-link" href="#features"></a></h3>
     <p>A <dfn data-dfn-type="dfn" data-export data-lt="document policy controlled feature" id="document-policy-controlled-feature">feature<a class="self-link" href="#document-policy-controlled-feature"></a></dfn> is
    defined by</p>
     <ul>
      <li data-md>
       <p>A name, which is a token,</p>
      <li data-md>
       <p>A value type, which is either <code>boolean</code>, <code>integer</code>, <code>float</code>, or <code>enum</code>,</p>
      <li data-md>
       <p>A value range, which is a subset of the possible values for the feature’s
type, and</p>
      <li data-md>
       <p>A <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="default-value">default value</dfn>, which is an element of the feature’s value
range.</p>
     </ul>
     <div class="informative"> When introducing a new feature, the default value should be chosen
    carefully, with highest consideration given to web compatibility. When no
    explicit policy has been declared for a document, the default value will be
    in effect. </div>
    </section>
    <section>
     <h3 class="heading settled" data-level="4.2" id="policies"><span class="secno">4.2. </span><span class="content">Policies</span><a class="self-link" href="#policies"></a></h3>
     <ul>
      <li data-md>
       <p>Browsing context has a <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="required-document-policy">required document policy</dfn>, which is a <a data-link-type="dfn" href="#document-policy" id="ref-for-document-policy">document policy</a>.</p>
      <li data-md>
       <p>Browsing context has a <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="nested-context-required-document-policy">nested context required document policy</dfn>,
which is a <a data-link-type="dfn" href="#document-policy" id="ref-for-document-policy①">document policy</a>.</p>
      <li data-md>
       <p>Document has a <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="declared-document-policy">declared document policy</dfn>, which is a <a data-link-type="dfn" href="#document-policy" id="ref-for-document-policy②">document
policy</a>.</p>
     </ul>
     <p>A <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="document-policy">document policy</dfn> is an ordered map from <a data-link-type="dfn" href="https://wicg.github.io/feature-policy/#policy-controlled-feature" id="ref-for-policy-controlled-feature">features</a> to <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-header-value" id="ref-for-concept-header-value">values</a>.</p>
     <ul>
      <li data-md>
       <p>A browsing context with a null opener browsing context has an empty <a data-link-type="dfn" href="#required-document-policy" id="ref-for-required-document-policy">required document policy</a>.</p>
     </ul>
    </section>
    <section>
     <h3 class="heading settled" data-level="4.3" id="values"><span class="secno">4.3. </span><span class="content">Values</span><a class="self-link" href="#values"></a></h3>
     <ul>
      <li data-md>
       <p>Policies have values for features</p>
      <li data-md>
       <p>Values have domains</p>
      <li data-md>
       <p>Domains have ordering</p>
      <li data-md>
       <p>Examples: positive ints, floats, bools, enums</p>
     </ul>
    </section>
    <section>
     <h3 class="heading settled" data-level="4.4" id="default-values"><span class="secno">4.4. </span><span class="content">Default Values</span><a class="self-link" href="#default-values"></a></h3>
     <ul>
      <li data-md>
       <p>features have default values.</p>
      <li data-md>
       <p>(Non-normative) Defaults are chosen for web compatibility.</p>
     </ul>
    </section>
   </section>
   <section>
    <h2 class="heading settled" data-level="5" id="serialization"><span class="secno">5. </span><span class="content">Required Policy Serialization</span><a class="self-link" href="#serialization"></a></h2>
    <section>
     <ul>
      <li data-md>
       <p>Explain here how required policies are <dfn class="dfn-paneled" data-dfn-type="dfn" data-lt="serialized document policy" data-noexport id="serialized-document-policy">serialized</dfn> as structured
headers.</p>
      <li data-md>
       <p>Ensure that there is a canonical form (for compat testing).</p>
     </ul>
    </section>
   </section>
   <section>
    <h2 class="heading settled" data-level="6" id="delivery"><span class="secno">6. </span><span class="content">Delivery</span><a class="self-link" href="#delivery"></a></h2>
    <section>
     <h3 class="heading settled" data-level="6.1" id="policies-as-structured-headers"><span class="secno">6.1. </span><span class="content">Policies as Structured Headers</span><a class="self-link" href="#policies-as-structured-headers"></a></h3>
     <p>Policies are represented in HTTP headers and in HTML attributes as the
    serialization of an sh-list structure. The list members are tokens, each
    corresponding to a <dfn class="dfn-paneled" data-dfn-type="dfn" data-noexport id="policy-directive">policy directive</dfn>. Each token may take a single
    parameter; the details of the parameter name and allowed values are
    determined by the value type of the feature which the token names.</p>
     <h4 class="heading settled" data-level="6.1.1" id="boolean-valued-features"><span class="secno">6.1.1. </span><span class="content">Boolean-valued features</span><a class="self-link" href="#boolean-valued-features"></a></h4>
     <p>Boolean-valued features do not take any parameters. They may be expressed in
    headers by simply naming them, to enable the feature, or naming them with a
    prefix of 'no-', to disable the feature.</p>
     <p>Examples:</p>
     <ul>
      <li data-md>
       <p><code>boolean-feature</code></p>
      <li data-md>
       <p><code>no-boolean-feature</code></p>
     </ul>
     <h4 class="heading settled" data-level="6.1.2" id="integer-valued-features"><span class="secno">6.1.2. </span><span class="content">Integer-valued features</span><a class="self-link" href="#integer-valued-features"></a></h4>
     <p>Integer-valued features should have a single parameter, whose name is
    defined by the feature, and whose value should be an Integer. The range of
    Integers allowed should be defined by the feature.</p>
     <p>Examples:</p>
     <ul>
      <li data-md>
       <p><code>integer-feature;p=2</code></p>
     </ul>
     <h4 class="heading settled" data-level="6.1.3" id="float-valued-features"><span class="secno">6.1.3. </span><span class="content">Float-valued features</span><a class="self-link" href="#float-valued-features"></a></h4>
     <p>Float-valued features should have a single parameter, whose name is defined
    by the feature, and whose value should be a Float. The range of Floats
    allowed should be defined by the feature.</p>
     <p>Examples:</p>
     <ul>
      <li data-md>
       <p><code>float-feature;q=-0.2</code></p>
     </ul>
     <h4 class="heading settled" data-level="6.1.4" id="enum-valued-features"><span class="secno">6.1.4. </span><span class="content">Enum-valued features</span><a class="self-link" href="#enum-valued-features"></a></h4>
     <p>Enum-valued features should take a parameter with no value. The allowed
    values for the enum should be used as the parameter name.</p>
     <p>Examples:</p>
     <ul>
      <li data-md>
       <p><code>enum-feature;state</code></p>
     </ul>
    </section>
    <section>
     <h3 class="heading settled" data-level="6.2" id="http-headers"><span class="secno">6.2. </span><span class="content">HTTP Headers</span><a class="self-link" href="#http-headers"></a></h3>
     <section>
      <h4 class="heading settled" data-level="6.2.1" id="document-policy-http-header"><span class="secno">6.2.1. </span><span class="content">Document-Policy</span><a class="self-link" href="#document-policy-http-header"></a></h4>
      <p>The `<dfn data-dfn-type="http-header" data-export id="document-policy-header"><code>Document-Policy</code><a class="self-link" href="#document-policy-header"></a></dfn>` HTTP
    header can be used in the <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-response" id="ref-for-concept-response-response">response</a> (server to client) to communicate the <a data-link-type="dfn" href="#document-policy" id="ref-for-document-policy③">document policy</a> that should be enforced by the client.</p>
      <p>The <code>Document-Policy</code> header is a Structured Header. Its value
    must be a list. Its ABNF is:</p>
      <p>Document-Policy = sh-list</p>
      <p>Each list element must be a token. If the token does not name a supported
    feature, (or a supported boolean feature prefixed by "no-",) then the list
    element must be ignored.</p>
     </section>
     <section>
      <h4 class="heading settled" data-level="6.2.2" id="require-document-policy-http-header"><span class="secno">6.2.2. </span><span class="content">Require-Document-Policy</span><a class="self-link" href="#require-document-policy-http-header"></a></h4>
      <p>The `<dfn data-dfn-type="http-header" data-export id="require-document-policy-header"><code>Require-Document-Policy</code><a class="self-link" href="#require-document-policy-header"></a></dfn>`
    HTTP header field is a response header which is used to communicate to the
    client the minimum <a data-link-type="dfn" href="#required-document-policy" id="ref-for-required-document-policy①">required document policy</a> to apply to all nested
    content.</p>
      <p>The <code>Require-Document-Policy</code> header is a Structured Header list, with
    exactly the same syntax as the <code>Document-Policy</code> header.</p>
     </section>
     <section>
      <h4 class="heading settled" data-level="6.2.3" id="sec-required-document-policy-http-header"><span class="secno">6.2.3. </span><span class="content">Sec-Required-Document-Policy</span><a class="self-link" href="#sec-required-document-policy-http-header"></a></h4>
      <p>The `<dfn data-dfn-type="http-header" data-export id="sec-required-document-policy-header"><code>Sec-Required-Document-Policy</code><a class="self-link" href="#sec-required-document-policy-header"></a></dfn>`
    HTTP header field is a request header which is used to communicate to the
    server the <a data-link-type="dfn" href="#document-policy" id="ref-for-document-policy④">document policy</a> which must be sent with the document
    returned with the request.</p>
      <p>The header’s value is the <a href="#serialization">§ 5 Required Policy Serialization</a> of one or more <a data-link-type="dfn" href="#policy-directive" id="ref-for-policy-directive">policy directive</a>s</p>
     </section>
    </section>
    <section>
     <h3 class="heading settled" data-level="6.3" id="iframe-policy-attribute"><span class="secno">6.3. </span><span class="content">The <code>policy</code> attribute of the <code>iframe</code> element</span><a class="self-link" href="#iframe-policy-attribute"></a></h3>
     <p><code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element" id="ref-for-the-iframe-element">iframe</a></code> elements have a "<code>policy</code>" attribute, which contains a required
    policy directive (SH format).</p>
    </section>
   </section>
   <section>
    <h2 class="heading settled" data-level="7" id="integrations"><span class="secno">7. </span><span class="content">Integrations</span><a class="self-link" href="#integrations"></a></h2>
    <p>If a frame has a required policy, then that policy must be advertised in the
  request header for any outgoing document requests, to inform the server of the
  policy which will be applied to the document by the user agent. This allows
  the server to alter the representation which is returned, to conform to that
  policy.</p>
    <p>In the case where a required policy request header is present, the response
  must contain a compatible document policy header, or the fetch will fail.</p>
    <section>
     <h3 class="heading settled" data-level="7.1" id="integration-with-html"><span class="secno">7.1. </span><span class="content">Integration with HTML</span><a class="self-link" href="#integration-with-html"></a></h3>
     <p>The following changes should be incorporated into <a data-link-type="biblio" href="#biblio-html">[HTML]</a>:</p>
     <ul>
      <li data-md>
       <p><code><a data-link-type="element" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element" id="ref-for-the-iframe-element①">iframe</a></code> elements should have the following IDL added:</p>
     </ul>
<pre>        [CEReactions] attribute DOMString policy;
</pre>
     <ul>
      <li data-md>
       <p>The iframe policy attribute should be defined as follows:</p>
       <ul>
        <li data-md>
         <p>The <code>policy</code> attribute, when specified, adds a <a data-link-type="dfn" href="#required-document-policy" id="ref-for-required-document-policy②">required document
policy</a> to the <code>iframe</code>'s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#nested-browsing-context" id="ref-for-nested-browsing-context">nested browsing context</a>, when it is
initialized. Its value must be a <a data-link-type="dfn" href="#serialized-document-policy" id="ref-for-serialized-document-policy">serialized document policy</a>.</p>
       </ul>
      <li data-md>
       <p>In <a href="https://html.spec.whatwg.org/multipage/dom.html#the-document-object">HTML 5 §3.1.1 The Document object</a>, add the following line:</p>
       <ul>
        <li data-md>
         <p>The <a data-link-type="dfn" href="https://dom.spec.whatwg.org/#concept-document" id="ref-for-concept-document">Document</a> has a <b>document policy</b>, which is a <a data-link-type="dfn" href="#document-policy" id="ref-for-document-policy⑤">document
policy</a>, which is initially empty.</p>
       </ul>
      <li data-md>
       <p>In the <span spec-section="#creating-a-new-browsing-context"></span> algorithm:</p>
       <ul>
        <li data-md>
         <p>Add the following step after step 5:</p>
         <ol start="6">
          <li data-md>
           <p>Set <var>browsingContext</var>’s <a data-link-type="dfn" href="#required-document-policy" id="ref-for-required-document-policy③">required document policy</a> to the result
of <a data-link-type="dfn" href="#create-for-browsingcontext" id="ref-for-create-for-browsingcontext">creating a required policy
for a browsing context</a> <var>browsingContext</var>.</p>
         </ol>
        <li data-md>
         <p>Change step 9 (renumbered now to 10) to read:</p>
         <ol start="10">
          <li data-md>
           <p>Let <var>document</var> be a new <a data-link-type="dfn" href="https://dom.spec.whatwg.org/#concept-document" id="ref-for-concept-document①">Document</a>, marked as an <a data-link-type="dfn" href="https://dom.spec.whatwg.org/#html-document" id="ref-for-html-document">HTML
document</a> in <a data-link-type="dfn" href="https://dom.spec.whatwg.org/#concept-document-quirks" id="ref-for-concept-document-quirks">quirks mode</a>, whose <a data-link-type="dfn" href="https://dom.spec.whatwg.org/#concept-document-content-type" id="ref-for-concept-document-content-type">content type</a> is <code>"text/html"</code>, <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin" id="ref-for-concept-origin">origin</a> is <var>origin</var>, <a data-link-type="dfn">active sandboxing flag
set</a> is <var>sandboxFlags</var>, <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/dom.html#concept-document-feature-policy" id="ref-for-concept-document-feature-policy">feature policy</a> is <var>feature policy</var>,
document policy is identical to <var>browsingContext</var>’s <a data-link-type="dfn" href="#required-document-policy" id="ref-for-required-document-policy④">required
document policy</a>, and which is both ready for post-load tasks and
completely loaded immediately.</p>
         </ol>
       </ul>
      <li data-md>
       <p>In the <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsing-the-web.html#process-a-navigate-fetch" id="ref-for-process-a-navigate-fetch">process a navigate fetch</a> algorithm:</p>
       <ul>
        <li data-md>
         <p>Add the following step after step 5:</p>
         <ol start="6">
          <li data-md>
           <p>Set <var>request</var>’s <a data-link-type="dfn" href="#required-document-policy" id="ref-for-required-document-policy⑤">required document policy</a> to <var>browsingContext</var>’s <a data-link-type="dfn" href="#required-document-policy" id="ref-for-required-document-policy⑥">required document policy</a>.</p>
         </ol>
       </ul>
      <li data-md>
       <p>In the <span spec-section="#initialize-the-document-object"></span> algorithm:</p>
       <ul>
        <li data-md>
         <p>Add the following step after step 3:</p>
         <ol start="4">
          <li data-md>
           <p>Let <var>documentPolicy</var> be the result of <a data-link-type="dfn" href="#create-document-policy" id="ref-for-create-document-policy">creating a document policy</a> for <var>browsingContext</var> from <var>response</var>.</p>
         </ol>
        <li data-md>
         <p>Change step 6 (renumbered now to 7) to read:</p>
         <ol start="7">
          <li data-md>
           <p>Let <var>document</var> be a new Document, whose type is <var>type</var>, content type
is <var>contentType</var>, origin is <var>origin</var>, feature policy is <var>featurePolicy</var>, active sandboxing flag set is <var>finalSandboxFlags</var>,
and document policy is <var>documentPolicy</var>.</p>
         </ol>
       </ul>
     </ul>
    </section>
    <section>
     <h3 class="heading settled" data-level="7.2" id="integration-with-fetch"><span class="secno">7.2. </span><span class="content">Integration with Fetch</span><a class="self-link" href="#integration-with-fetch"></a></h3>
     <p>The following changes should be incorporated into <a data-link-type="biblio" href="#biblio-fetch">[FETCH]</a>:</p>
     <ul>
      <li data-md>
       <p>In <a href="https://fetch.spec.whatwg.org/#requests">Fetch Standard §2.2.5 Requests</a>, add the following:</p>
       <ul>
        <li data-md>
         <p>A <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-request" id="ref-for-concept-request-request">request</a> has an associated <dfn class="dfn-paneled" data-dfn-type="dfn" data-lt="request-required-document-policy" data-noexport id="request-required-document-policy">required document
policy</dfn>, which is a <a data-link-type="dfn" href="#document-policy" id="ref-for-document-policy⑥">document policy</a>. Unless otherwise
stated, it is null.</p>
       </ul>
      <li data-md>
       <p>In <a href="https://fetch.spec.whatwg.org/#http-network-or-cache-fetch">Fetch Standard §4.5 HTTP-network-or-cache fetch</a>, after step 15, insert the
following:</p>
       <ol>
        <li data-md>
         <p>If <var>httpRequest</var> has a <a data-link-type="dfn" href="#request-required-document-policy" id="ref-for-request-required-document-policy">required document policy</a>,
then</p>
         <ol>
          <li data-md>
           <p>Let <var>serializedRequiredPolicy</var> be the result of calling <a data-link-type="dfn" href="#serialize-required-policy" id="ref-for-serialize-required-policy">Serialize
 Required Policy</a> on <var>httpRequest</var>’s <a data-link-type="dfn" href="#request-required-document-policy" id="ref-for-request-required-document-policy①">required document
 policy</a>.</p>
          <li data-md>
           <p>Append <code>Sec-Required-Document-Policy</code>/<var>serializedRequiredPolicy</var> to <var>httpRequest</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-request-header-list" id="ref-for-concept-request-header-list">header list</a>.</p>
         </ol>
       </ol>
      <li data-md>
       <p>In <a href="https://fetch.spec.whatwg.org/#main-fetch">Fetch Standard §4.1 Main fetch</a>, add the following algorithm to the list of
algorithms in step 11:</p>
       <ul>
        <li data-md>
         <p><a data-link-type="dfn" href="#should-response-to-request-be-blocked-due-to-document-policy" id="ref-for-should-response-to-request-be-blocked-due-to-document-policy">should</a></p>
         <a data-link-type="dfn" href="#should-response-to-request-be-blocked-due-to-document-policy" id="ref-for-should-response-to-request-be-blocked-due-to-document-policy①"> </a>
       </ul>
     </ul>
     <a data-link-type="dfn" href="#should-response-to-request-be-blocked-due-to-document-policy" id="ref-for-should-response-to-request-be-blocked-due-to-document-policy②"> <var>internalResponse</var> to <var>request</var> be blocked due to document policy</a> 
     <ul>
      <li data-md>
       <p>Add the following algorithm to <a href="https://fetch.spec.whatwg.org/#terminology-headers">Fetch Standard §2.2.2 Headers</a>:</p>
       <ul>
        <li data-md>
         <p>To <dfn data-dfn-type="dfn" data-export id="get-and-parse-a-structured-header">get and parse a structured header<a class="self-link" href="#get-and-parse-a-structured-header"></a></dfn> <var>name</var> as <var>type</var> from <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-headers-header-list" id="ref-for-concept-headers-header-list">header list</a> <var>list</var>, run these steps:</p>
         <ol>
          <li data-md>
           <p>Let <var>input</var> be the result of getting <var>name</var> from <var>list</var>.</p>
          <li data-md>
           <p>If <var>input</var> is null, then return null.</p>
          <li data-md>
           <p>Let <var>value</var> be the result of running the <a href="https://tools.ietf.org/html/draft-ietf-httpbis-header-structure-14#section-4.2">Parsing
 Header Fields into Structured Headers</a> algorithm with <var>input</var> as <var>input_string</var> and <var>type</var> as <var>header_type</var>. <a data-link-type="biblio" href="#biblio-header-structure">[HEADER-STRUCTURE]</a></p>
          <li data-md>
           <p>If the previous step fails, return null.</p>
          <li data-md>
           <p>Return <var>value</var>.</p>
         </ol>
       </ul>
     </ul>
    </section>
   </section>
   <section>
    <h2 class="heading settled" data-level="8" id="algorithms"><span class="secno">8. </span><span class="content">Algorithms</span><a class="self-link" href="#algorithms"></a></h2>
    <section>
     <h3 class="heading settled" data-level="8.1" id="algo-is-policy-compatible"><span class="secno">8.1. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-export id="is-policy-compatible">Is policy compatible</dfn>?</span><a class="self-link" href="#algo-is-policy-compatible"></a></h3>
     <p>Given a <a data-link-type="dfn" href="#required-document-policy" id="ref-for-required-document-policy⑦">required document policy</a> <var>requiredPolicy</var> and a <a data-link-type="dfn" href="#declared-document-policy" id="ref-for-declared-document-policy">declared
    document policy</a> <var>declaredPolicy</var>, this algorithm returns true if <var>declaredPolicy</var> is compatible with <var>requiredPolicy</var>, or false otherwise.</p>
     <ol>
      <li data-md>
       <p>For each <var>feature</var> → <var>value</var> in <var>requiredPolicy</var>:</p>
       <ol>
        <li data-md>
         <p>If <var>feature</var> does not require acknowledgement, then continue.</p>
        <li data-md>
         <p>If <var>declaredPolicy</var>[<var>feature</var>] does not exist, then return false.</p>
        <li data-md>
         <p>If <var>requiredPolicy</var>[<var>feature</var>] is stricter than <var>declaredPolicy</var>[<var>feature</var>], then return false.</p>
       </ol>
      <li data-md>
       <p>Return true.</p>
     </ol>
    </section>
    <section>
     <h3 class="heading settled" data-level="8.2" id="algo-process-response-policy"><span class="secno">8.2. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-export id="process-response-policy">Process response policy</dfn></span><a class="self-link" href="#algo-process-response-policy"></a></h3>
     <p>Given a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-response" id="ref-for-concept-response-response①">response</a> (<var>response</var>), this algorithm returns a <a data-link-type="dfn" href="#declared-document-policy" id="ref-for-declared-document-policy①">declared
    document policy</a>.</p>
     <ol>
      <li data-md>
       <p>Abort these steps if the <var>response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-header-list" id="ref-for-concept-response-header-list">header list</a> does not contain a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-header" id="ref-for-concept-header">header</a> whose <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-header-name" id="ref-for-concept-header-name">name</a> is
  "<code>Document-Policy</code>".</p>
      <li data-md>
       <p>Let <var>header</var> be the concatenation of the <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-header-value" id="ref-for-concept-header-value①">value</a>s of all <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-header" id="ref-for-concept-header①">header</a> fields in <var>response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-header-list" id="ref-for-concept-response-header-list①">header list</a> whose name is
  "<code>Document-Policy</code>", separated by U+002C (,) (according to
  [RFC7230, 3.2.2]).</p>
      <li data-md>
       <p>Let <var>document policy</var> be the result of executing <a data-link-type="dfn" href="#parse-document-policy" id="ref-for-parse-document-policy">Parse document
  policy</a> on <var>header</var>.</p>
      <li data-md>
       <p>Return <var>document policy</var>.</p>
     </ol>
    </section>
    <section>
     <h3 class="heading settled" data-level="8.3" id="algo-parse-required-policy"><span class="secno">8.3. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-export id="parse-document-policy">Parse document policy</dfn></span><a class="self-link" href="#algo-parse-required-policy"></a></h3>
     <p>Given a string (<var>policyString</var>), this algorithm returns a <a data-link-type="dfn" href="#document-policy" id="ref-for-document-policy⑦">document
    policy</a>, if it can be parsed as one, or else fails.</p>
     <ol>
      <li data-md>
       <p>Let <var>policy</var> be a new ordered map.</p>
      <li data-md>
       <p>Let <var>list</var> be the result of parsing <var>policyString</var> as a list.</p>
      <li data-md>
       <p>If parsing fails, then fail.</p>
      <li data-md>
       <p>For each <var>element</var> in <var>list</var>,</p>
       <ol>
        <li data-md>
         <p>If <var>element</var> is not a token, then fail</p>
        <li data-md>
         <p>If <var>element</var> is the name of a supported feature which is a boolean
feature, then</p>
         <ol>
          <li data-md>
           <p>If <var>element</var> has any associated parameters, then fail.</p>
          <li data-md>
           <p>Let <var>feature</var> be the supported feature with name <var>element</var>.</p>
          <li data-md>
           <p>If <var>policy</var>[<var>feature</var>] exists, then continue with the next <var>element</var>.</p>
          <li data-md>
           <p>Set <var>policy</var>[<var>feature</var>] to the boolean value true.</p>
          <li data-md>
           <p>Continue with the next <var>element</var>.</p>
         </ol>
        <li data-md>
         <p>If <var>element</var> begins with the string "no-", and the remaining
characters match the name of a supported feature which is a boolean
feature, then</p>
         <ol>
          <li data-md>
           <p>If <var>element</var> has any associated parameters, then fail.</p>
          <li data-md>
           <p>Let <var>feature</var> be the supported feature with name <var>element</var>.</p>
          <li data-md>
           <p>If <var>policy</var>[<var>feature</var>] exists, then continue with the next <var>element</var>.</p>
          <li data-md>
           <p>Set <var>policy</var>[<var>feature</var>] to the boolean value false.</p>
          <li data-md>
           <p>Continue with the next <var>element</var>.</p>
         </ol>
        <li data-md>
         <p>If <var>element</var> is the name of a supported feature, then</p>
         <ol>
          <li data-md>
           <p>If <var>element</var> does not have exactly one parameter, then fail.</p>
          <li data-md>
           <p>Let <var>feature</var> be the supported feature with name <var>element</var>.</p>
          <li data-md>
           <p>If <var>policy</var>[<var>feature</var>] exists, then continue with the next <var>element</var>.</p>
          <li data-md>
           <p>If <var>feature</var> is an enum-valued feature, then</p>
           <ol>
            <li data-md>
             <p>If <var>element</var>’s parameter has a value, then fail.</p>
            <li data-md>
             <p>Let <var>value</var> be the name of <var>element</var>’s parameter.</p>
            <li data-md>
             <p>If <var>value</var> is not the name of one of <var>feature</var>s allowed
  enum values, then fail.</p>
            <li data-md>
             <p>Let <var>policy</var>[<var>feature</var>] be the enum value named <var>value</var>.</p>
            <li data-md>
             <p>Continue with the next <var>element</var>.</p>
           </ol>
          <li data-md>
           <p>If <var>element</var>’s parameter’s name does not match <var>feature</var>’s
parameter name, then fail.</p>
          <li data-md>
           <p>Let <var>value</var> be the value of <var>element</var>’s parameter.</p>
          <li data-md>
           <p>If <var>feature</var> is an integer-valued feature, then</p>
           <ol>
            <li data-md>
             <p>If <var>value</var> is not an integer, then fail.</p>
            <li data-md>
             <p>If <var>value</var> is not in <var>feature</var>’s range, then fail.</p>
            <li data-md>
             <p>Let <var>policy</var>[<var>feature</var>] be the integer value <var>value</var>.</p>
            <li data-md>
             <p>Continue with the next <var>element</var>.</p>
           </ol>
          <li data-md>
           <p>If <var>feature</var> is an float-valued feature, then</p>
           <ol>
            <li data-md>
             <p>If <var>value</var> is not a float, then fail.</p>
            <li data-md>
             <p>If <var>value</var> is not in <var>feature</var>’s range, then fail.</p>
            <li data-md>
             <p>Let <var>policy</var>[<var>feature</var>] be the float value <var>value</var>.</p>
            <li data-md>
             <p>Continue with the next <var>element</var>.</p>
           </ol>
         </ol>
       </ol>
      <li data-md>
       <p>Return <var>policy</var>.</p>
     </ol>
    </section>
    <section>
     <h3 class="heading settled" data-level="8.4" id="algo-serialize-required-policy"><span class="secno">8.4. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-export id="serialize-required-policy">Serialize required policy</dfn></span><a class="self-link" href="#algo-serialize-required-policy"></a></h3>
     <p>Given a <a data-link-type="dfn" href="#document-policy" id="ref-for-document-policy⑧">document policy</a> (<var>requiredPolicy</var>), this algorithm returns a
    string which represents the canonical serialization of the policy.</p>
     <ol>
      <li data-md>
       <p>Let <var>list</var> be an empty sh-list</p>
      <li data-md>
       <p>Let <var>features</var> be the keys of <var>requiredPolicy</var></p>
      <li data-md>
       <p>Sort <var>features</var> by the name of each element, in ASCII order.</p>
      <li data-md>
       <p>For each <var>feature</var> in <var>features</var>:</p>
       <ol>
        <li data-md>
         <p>If <var>feature</var> is a boolean-valued feature, then</p>
         <ol>
          <li data-md>
           <p>If <var>requiredPolicy</var>[<var>feature</var>] is true, append <var>feature</var>’s name
to <var>list</var>.</p>
          <li data-md>
           <p>Otherwise, append the sh-token formed by concatenating the string
"no-" and <var>feature</var>’s name to <var>list</var>.</p>
         </ol>
        <li data-md>
         <p>Otherwise, if <var>feature</var> is an enum-valued feature, then</p>
         <ol>
          <li data-md>
           <p>Let <var>value</var> be <var>requiredPolicy</var>[<var>feature</var>].</p>
          <li data-md>
           <p>Let <var>param</var> be a parameter with param-name <var>value</var> and with no
param-value.</p>
          <li data-md>
           <p>Append an sh-item which is an sh-token formed from <var>feature</var>’s
name, with the single parameter <var>param</var>, to <var>list</var>.</p>
         </ol>
        <li data-md>
         <p>Otherwise,</p>
         <ol>
          <li data-md>
           <p>Let <var>value</var> be <var>requiredPolicy</var>[<var>feature</var>].</p>
          <li data-md>
           <p>Let <var>param</var> be a parameter with param-name being <var>features</var>’s
parameter name, and with param-value <var>value</var>.</p>
          <li data-md>
           <p>Append an sh-item which is an sh-token formed from <var>feature</var>’s
name, with the single parameter <var>param</var>, to <var>list</var>.</p>
         </ol>
       </ol>
      <li data-md>
       <p>Return the serialization of <var>list</var>.</p>
     </ol>
    </section>
    <section>
     <h3 class="heading settled" data-level="8.5" id="algo-create-for-browsingcontext"><span class="secno">8.5. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-export data-lt="create-for-browsingcontext" id="create-for-browsingcontext">Create a required policy for a browsing context</dfn></span><a class="self-link" href="#algo-create-for-browsingcontext"></a></h3>
     <p>Given a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#browsing-context" id="ref-for-browsing-context">browsing context</a> (<var>browsingContext</var>), this algorithm returns
    a new <a data-link-type="dfn" href="#document-policy" id="ref-for-document-policy⑨">Document Policy</a>.</p>
     <ol>
      <li data-md>
       <p>If <var>browsingContext</var> is a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#nested-browsing-context" id="ref-for-nested-browsing-context①">nested browsing context</a>, then</p>
       <ol>
        <li data-md>
         <p>Let <var>requiredPolicy</var> be a clone of <var>browsingContext</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#browsing-context-container" id="ref-for-browsing-context-container">browsing
  context container</a>’s <a data-link-type="dfn" href="#nested-context-required-document-policy" id="ref-for-nested-context-required-document-policy">nested context required document
  policy</a>.</p>
        <li data-md>
         <p>If <var>browsingContext</var>’s <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#browsing-context-container" id="ref-for-browsing-context-container①">browsing context container</a> has a
  "policy" attribute, then</p>
         <ol>
          <li data-md>
           <p>Let <var>somethingPolicy</var> be the result of parsing the attribute</p>
          <li data-md>
           <p>For each <var>feature</var> -> <var>value</var> in <var>somethingPolicy</var>:</p>
           <ol>
            <li data-md>
             <p>If <var>requiredPolicy</var>[<var>feature</var>] does not exist, or if <var>value</var> is stricter than <var>requiredPolicy</var>[<var>feature</var>], then set <var>requiredPolicy</var>[<var>feature</var>] to <var>value</var>.</p>
           </ol>
         </ol>
       </ol>
      <li data-md>
       <p>Otherwise, let <var>requiredPolicy</var> be a new ordered map.</p>
      <li data-md>
       <p>return <var>requiredPolicy</var>.</p>
     </ol>
    </section>
    <section>
     <h3 class="heading settled" data-level="8.6" id="algo-create-document-policy"><span class="secno">8.6. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-export data-lt="create-document-policy" id="create-document-policy">Create a document Policy for a browsing context from response</dfn></span><a class="self-link" href="#algo-create-document-policy"></a></h3>
     <p>Given a <a data-link-type="dfn" href="https://html.spec.whatwg.org/multipage/browsers.html#browsing-context" id="ref-for-browsing-context①">browsing context</a> (<var>browsingContext</var>) and a <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-response" id="ref-for-concept-response-response②">response</a> (<var>response</var>), this algorithm returns a new <a data-link-type="dfn" href="#document-policy" id="ref-for-document-policy①⓪">Document Policy</a>.</p>
     <ol>
      <li data-md>
       <p>Let <var>requiredPolicy</var> be the result of running <a data-link-type="dfn" href="#create-for-browsingcontext" id="ref-for-create-for-browsingcontext①">Create a required policy
  for a browsing context</a> given <var>browsingContext</var>.</p>
      <li data-md>
       <p>Let <var>declaredPolicy</var> be the result of running <a data-link-type="dfn" href="#process-response-policy" id="ref-for-process-response-policy">Process response
  policy</a> on <var>response</var>.</p>
      <li data-md>
       <p>If <var>declaredPolicy</var> is <a href="#is-policy-compatible" id="ref-for-is-policy-compatible">compatible</a> with <var>requiredPolicy</var>, then return <var>declaredPolicy</var>.</p>
      <li data-md>
       <p>Throw an exception.</p>
     </ol>
    </section>
    <section>
     <h3 class="heading settled" data-level="8.7" id="algo-should-reponse-to-request-be-blocked"><span class="secno">8.7. </span><span class="content"><dfn class="dfn-paneled" data-dfn-type="dfn" data-export id="should-response-to-request-be-blocked-due-to-document-policy">Should <var>response</var> to <var>request</var> be blocked due to document policy</dfn>?</span><a class="self-link" href="#algo-should-reponse-to-request-be-blocked"></a></h3>
     <ol>
      <li data-md>
       <p>If <var>request</var> has a <a data-link-type="dfn" href="#request-required-document-policy" id="ref-for-request-required-document-policy②">required document
 policy</a>, then</p>
       <ol>
        <li data-md>
         <p>Let <var>documentPolicy</var> be the result of getting and parsing the
 structured header <code>Document-Policy</code> as "list" from <var>response</var>’s <a data-link-type="dfn" href="https://fetch.spec.whatwg.org/#concept-response-header-list" id="ref-for-concept-response-header-list②">header list</a>.</p>
        <li data-md>
         <p>If <var>documentPolicy</var> is not <a data-link-type="dfn" href="#is-policy-compatible" id="ref-for-is-policy-compatible①">compatible</a> with <var>request</var>’s <a data-link-type="dfn" href="#request-required-document-policy" id="ref-for-request-required-document-policy③">required document
 policy</a>, return "blocked".</p>
        <li data-md>
         <p>Return "valid".</p>
       </ol>
     </ol>
    </section>
    <section>
     <h3 class="heading settled" data-level="8.8" id="algo-get-policy-value"><span class="secno">8.8. </span><span class="content"><dfn data-dfn-type="dfn" data-export id="get-policy-value">Get policy value for <var>feature</var> in <var>document</var><a class="self-link" href="#get-policy-value"></a></dfn></span><a class="self-link" href="#algo-get-policy-value"></a></h3>
     <p>Given a feature (<var>feature</var>) and a <code class="idl"><a data-link-type="idl" href="https://dom.spec.whatwg.org/#document" id="ref-for-document">Document</a></code> object (<var>document</var>), this
    algorithm the value for <var>feature</var> in <var>document</var>’s <a data-link-type="dfn" href="#document-policy" id="ref-for-document-policy①①">document policy</a>.</p>
     <ol>
      <li data-md>
       <p>Let <var>policy</var> be <var>document</var>’s <a data-link-type="dfn" href="#document-policy" id="ref-for-document-policy①②">Document Policy</a>.</p>
      <li data-md>
       <p>If <var>policy</var>[<var>feature</var>] exists, return it.</p>
      <li data-md>
       <p>Return <var>feature</var>’s <a data-link-type="dfn" href="#default-value" id="ref-for-default-value">default value</a>.</p>
     </ol>
    </section>
   </section>
   <section>
    <h2 class="heading settled" data-level="9" id="iana-considerations"><span class="secno">9. </span><span class="content">IANA Considerations</span><a class="self-link" href="#iana-considerations"></a></h2>
    <p>The permanent message header field registry should be updated with the
  following registrations <a data-link-type="biblio" href="#biblio-rfc3864">[RFC3864]</a>:</p>
    <dl>
     <dt>Header field name
     <dd>Document-Policy
     <dt>Applicable protocol
     <dd>http
     <dt>Status
     <dd>standard
     <dt>Author/Change controller
     <dd>W3C
     <dt>Specification document
     <dd> <a href>Document Policy API</a> 
    </dl>
    <dl>
     <dt>Header field name
     <dd>Require-Document-Policy
     <dt>Applicable protocol
     <dd>http
     <dt>Status
     <dd>standard
     <dt>Author/Change controller
     <dd>W3C
     <dt>Specification document
     <dd> <a href>Document Policy API</a> 
    </dl>
    <dl>
     <dt>Header field name
     <dd>Sec-Required-Document-Policy
     <dt>Applicable protocol
     <dd>http
     <dt>Status
     <dd>standard
     <dt>Author/Change controller
     <dd>W3C
     <dt>Specification document
     <dd> <a href>Document Policy API</a> 
    </dl>
   </section>
   <section class="informative" id="privacy">
    <h2 class="heading settled" data-level="10" id="privacy-and-security"><span class="secno">10. </span><span class="content">Privacy and Security</span><a class="self-link" href="#privacy-and-security"></a></h2>
    <p>This is going to be very similar to feature policy, with these notes:</p>
    <ol>
     <li data-md>
      <p>Opt-in generally required to enable enforcement in subframes.</p>
     <li data-md>
      <p>Policy attribute may conflict with sandbox attribute</p>
     <li data-md>
      <p>Observability? Yes, still. Take care when designing features that their
effects cannot be seen across origin boundaries.</p>
     <li data-md>
      <p>Take care in creating non-reflect features</p>
    </ol>
    <p>This specification standardizes a mechanism for an embedding page to set a
  policy which will be enforced on an embedded page. When explicit
  acknowlegement of a required policy is not required, similar to iframe <code><a data-link-type="element-sub" href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-iframe-sandbox" id="ref-for-attr-iframe-sandbox">sandbox</a></code>, this means that behaviors of existing features may be
  changed in published web sites, by embedding them in another document with an
  appropriate required policy.</p>
    <p>As such, the biggest privacy and security concerns are:</p>
    <ul>
     <li data-md>
      <p>Exposure of behavior in a cross-origin subframe to its embedder.</p>
     <li data-md>
      <p>Unanticipated behavior changes in subframes controlled by the embedder.</p>
    </ul>
    <p>To a degree, these concerns are already present in the web platform, and this
  specification attempts to at least not make them needlessly worse.</p>
    <p>Security and privacy issues may also be caused by the design of individual
  features, so care must be taken when integrating with this specification. This
  section attempts to provide some guidance as to what kinds of behaviors could
  cause such issues.</p>
    <h3 class="heading settled" data-level="10.1" id="exposure-of-cross-origin-behavior"><span class="secno">10.1. </span><span class="content">Exposure of cross-origin behavior {#exposure-of-cross-origin-behavior}</span><a class="self-link" href="#exposure-of-cross-origin-behavior"></a></h3>
    <p>Features should be designed such that a violation of the policy in a
  framed document is not observable by documents in other frames. For instance,
  a hypothetical feature which caused a event to be fired in the embedding
  document if it is used while disabled by policy, could be used to extract
  information about the state of an embedded document. If the feature is known
  only to be used while a user is logged in to the site, for instance, then the
  embedder could disable that feature for the frame, and then listen for the
  resulting events to determine whether or not the user is logged in.</p>
    <h3 class="heading settled" data-level="10.2" id="unanticipated-behavior-changes"><span class="secno">10.2. </span><span class="content">Unanticipated behavior changes</span><a class="self-link" href="#unanticipated-behavior-changes"></a></h3>
    <p>Document policy grants a document the ability to control which features will
  and will not be availble in a subframe at the time it is loaded. When a
  feature represents an existing, long-standing behavior of the web platform,
  this may mean that existing published content on the web was not written with
  the expectation that a particular API could fail.</p>
    <ul>
     <li data-md>
      <p>Mitigated by requiring opt-in</p>
     <li data-md>
      <p>non-opt-in features have issues similar to sandbox.</p>
     <li data-md>
      <p>Reference FP section</p>
    </ul>
    <h3 class="heading settled" data-level="10.3" id="advertisement-of-required-policy"><span class="secno">10.3. </span><span class="content">Advertisement of required policy</span><a class="self-link" href="#advertisement-of-required-policy"></a></h3>
    <ul>
     <li data-md>
      <p>May leak details of embedder headers or markup.</p>
    </ul>
   </section>
  </main>
  <h2 class="no-ref no-num heading settled" id="conformance"><span class="content">Conformance</span><a class="self-link" href="#conformance"></a></h2>
  <h3 class="no-ref no-num heading settled" id="conventions"><span class="content">Document conventions</span><a class="self-link" href="#conventions"></a></h3>
  <p>Conformance requirements are expressed with a combination of
    descriptive assertions and RFC 2119 terminology. The key words “MUST”,
    “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”,
    “RECOMMENDED”, “MAY”, and “OPTIONAL” in the normative parts of this
    document are to be interpreted as described in RFC 2119.
    However, for readability, these words do not appear in all uppercase
    letters in this specification. </p>
  <p>All of the text of this specification is normative except sections
    explicitly marked as non-normative, examples, and notes. <a data-link-type="biblio" href="#biblio-rfc2119">[RFC2119]</a></p>
  <p>Examples in this specification are introduced with the words “for example”
    or are set apart from the normative text with <code>class="example"</code>,
    like this: </p>
  <div class="example" id="example-ae2b6bc0">
   <a class="self-link" href="#example-ae2b6bc0"></a> 
   <p>This is an example of an informative example.</p>
  </div>
  <p>Informative notes begin with the word “Note” and are set apart from the
    normative text with <code>class="note"</code>, like this: </p>
  <p class="note" role="note">Note, this is an informative note.</p>
  <h3 class="no-ref no-num heading settled" id="conformant-algorithms"><span class="content">Conformant Algorithms</span><a class="self-link" href="#conformant-algorithms"></a></h3>
  <p>Requirements phrased in the imperative as part of algorithms (such as
    "strip any leading space characters" or "return false and abort these
    steps") are to be interpreted with the meaning of the key word ("must",
    "should", "may", etc) used in introducing the algorithm.</p>
  <p>Conformance requirements phrased as algorithms or specific steps can be
    implemented in any manner, so long as the end result is equivalent. In
    particular, the algorithms defined in this specification are intended to
    be easy to understand and are not intended to be performant. Implementers
    are encouraged to optimize.</p>
<script src="https://www.w3.org/scripts/TR/2016/fixup.js"></script>
  <h2 class="no-num no-ref heading settled" id="index"><span class="content">Index</span><a class="self-link" href="#index"></a></h2>
  <h3 class="no-num no-ref heading settled" id="index-defined-here"><span class="content">Terms defined by this specification</span><a class="self-link" href="#index-defined-here"></a></h3>
  <ul class="index">
   <li><a href="#create-document-policy">create-document-policy</a><span>, in §8.6</span>
   <li><a href="#create-for-browsingcontext">create-for-browsingcontext</a><span>, in §8.5</span>
   <li><a href="#declared-document-policy">declared document policy</a><span>, in §4.2</span>
   <li><a href="#default-value">default value</a><span>, in §4.1</span>
   <li><a href="#document-policy-header">Document-Policy</a><span>, in §6.2.1</span>
   <li><a href="#document-policy">document policy</a><span>, in §4.2</span>
   <li><a href="#document-policy-controlled-feature">document policy controlled feature</a><span>, in §4.1</span>
   <li><a href="#get-and-parse-a-structured-header">get and parse a structured header</a><span>, in §7.2</span>
   <li><a href="#get-policy-value">Get policy value for feature in document</a><span>, in §8.8</span>
   <li><a href="#is-policy-compatible">Is policy compatible</a><span>, in §8.1</span>
   <li><a href="#nested-context-required-document-policy">nested context required document policy</a><span>, in §4.2</span>
   <li><a href="#parse-document-policy">Parse document policy</a><span>, in §8.3</span>
   <li><a href="#policy-directive">policy directive</a><span>, in §6.1</span>
   <li><a href="#process-response-policy">Process response policy</a><span>, in §8.2</span>
   <li><a href="#request-required-document-policy">request-required-document-policy</a><span>, in §7.2</span>
   <li><a href="#required-document-policy">required document policy</a><span>, in §4.2</span>
   <li><a href="#require-document-policy-header">Require-Document-Policy</a><span>, in §6.2.2</span>
   <li><a href="#sec-required-document-policy-header">Sec-Required-Document-Policy</a><span>, in §6.2.3</span>
   <li><a href="#serialized-document-policy">serialized document policy</a><span>, in §5</span>
   <li><a href="#serialize-required-policy">Serialize required policy</a><span>, in §8.4</span>
   <li><a href="#should-response-to-request-be-blocked-due-to-document-policy">Should response to request be blocked due to document policy</a><span>, in §8.7</span>
  </ul>
  <aside class="dfn-panel" data-for="term-for-document">
   <a href="https://dom.spec.whatwg.org/#document">https://dom.spec.whatwg.org/#document</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-document">8.8. Get policy value for feature in document</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-document-content-type">
   <a href="https://dom.spec.whatwg.org/#concept-document-content-type">https://dom.spec.whatwg.org/#concept-document-content-type</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-document-content-type">7.1. Integration with HTML</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-document">
   <a href="https://dom.spec.whatwg.org/#concept-document">https://dom.spec.whatwg.org/#concept-document</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-document">7.1. Integration with HTML</a> <a href="#ref-for-concept-document①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-html-document">
   <a href="https://dom.spec.whatwg.org/#html-document">https://dom.spec.whatwg.org/#html-document</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-html-document">7.1. Integration with HTML</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-document-quirks">
   <a href="https://dom.spec.whatwg.org/#concept-document-quirks">https://dom.spec.whatwg.org/#concept-document-quirks</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-document-quirks">7.1. Integration with HTML</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-policy-controlled-feature">
   <a href="https://wicg.github.io/feature-policy/#policy-controlled-feature">https://wicg.github.io/feature-policy/#policy-controlled-feature</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-policy-controlled-feature">4.2. Policies</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-header">
   <a href="https://fetch.spec.whatwg.org/#concept-header">https://fetch.spec.whatwg.org/#concept-header</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-header">8.2. Process response policy</a> <a href="#ref-for-concept-header①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-response-header-list">
   <a href="https://fetch.spec.whatwg.org/#concept-response-header-list">https://fetch.spec.whatwg.org/#concept-response-header-list</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-response-header-list">8.2. Process response policy</a> <a href="#ref-for-concept-response-header-list①">(2)</a>
    <li><a href="#ref-for-concept-response-header-list②">8.7. Should response to request be blocked due to document policy?</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-header-name">
   <a href="https://fetch.spec.whatwg.org/#concept-header-name">https://fetch.spec.whatwg.org/#concept-header-name</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-header-name">8.2. Process response policy</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-request-request">
   <a href="https://fetch.spec.whatwg.org/#concept-request-request">https://fetch.spec.whatwg.org/#concept-request-request</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-request-request">7.2. Integration with Fetch</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-response-response">
   <a href="https://fetch.spec.whatwg.org/#concept-response-response">https://fetch.spec.whatwg.org/#concept-response-response</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-response-response">6.2.1. Document-Policy</a>
    <li><a href="#ref-for-concept-response-response①">8.2. Process response policy</a>
    <li><a href="#ref-for-concept-response-response②">8.6. Create a document Policy for a browsing context from response</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-header-value">
   <a href="https://fetch.spec.whatwg.org/#concept-header-value">https://fetch.spec.whatwg.org/#concept-header-value</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-header-value">4.2. Policies</a>
    <li><a href="#ref-for-concept-header-value①">8.2. Process response policy</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-browsing-context">
   <a href="https://html.spec.whatwg.org/multipage/browsers.html#browsing-context">https://html.spec.whatwg.org/multipage/browsers.html#browsing-context</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-browsing-context">8.5. Create a required policy for a browsing context</a>
    <li><a href="#ref-for-browsing-context①">8.6. Create a document Policy for a browsing context from response</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-browsing-context-container">
   <a href="https://html.spec.whatwg.org/multipage/browsers.html#browsing-context-container">https://html.spec.whatwg.org/multipage/browsers.html#browsing-context-container</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-browsing-context-container">8.5. Create a required policy for a browsing context</a> <a href="#ref-for-browsing-context-container①">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-document-feature-policy">
   <a href="https://html.spec.whatwg.org/multipage/dom.html#concept-document-feature-policy">https://html.spec.whatwg.org/multipage/dom.html#concept-document-feature-policy</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-document-feature-policy">7.1. Integration with HTML</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-the-iframe-element">
   <a href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element">https://html.spec.whatwg.org/multipage/iframe-embed-object.html#the-iframe-element</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-the-iframe-element">6.3. The policy attribute of the iframe element</a>
    <li><a href="#ref-for-the-iframe-element①">7.1. Integration with HTML</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-nested-browsing-context">
   <a href="https://html.spec.whatwg.org/multipage/browsers.html#nested-browsing-context">https://html.spec.whatwg.org/multipage/browsers.html#nested-browsing-context</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-nested-browsing-context">7.1. Integration with HTML</a>
    <li><a href="#ref-for-nested-browsing-context①">8.5. Create a required policy for a browsing context</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-concept-origin">
   <a href="https://html.spec.whatwg.org/multipage/origin.html#concept-origin">https://html.spec.whatwg.org/multipage/origin.html#concept-origin</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-concept-origin">7.1. Integration with HTML</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-process-a-navigate-fetch">
   <a href="https://html.spec.whatwg.org/multipage/browsing-the-web.html#process-a-navigate-fetch">https://html.spec.whatwg.org/multipage/browsing-the-web.html#process-a-navigate-fetch</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-process-a-navigate-fetch">7.1. Integration with HTML</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="term-for-attr-iframe-sandbox">
   <a href="https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-iframe-sandbox">https://html.spec.whatwg.org/multipage/iframe-embed-object.html#attr-iframe-sandbox</a><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-attr-iframe-sandbox">10. Privacy and Security</a>
   </ul>
  </aside>
  <h3 class="no-num no-ref heading settled" id="index-defined-elsewhere"><span class="content">Terms defined by reference</span><a class="self-link" href="#index-defined-elsewhere"></a></h3>
  <ul class="index">
   <li>
    <a data-link-type="biblio">[DOM]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-document" style="color:initial">Document</span>
     <li><span class="dfn-paneled" id="term-for-concept-document-content-type" style="color:initial">content type</span>
     <li><span class="dfn-paneled" id="term-for-concept-document" style="color:initial">document</span>
     <li><span class="dfn-paneled" id="term-for-html-document" style="color:initial">html document</span>
     <li><span class="dfn-paneled" id="term-for-concept-document-quirks" style="color:initial">quirks mode</span>
    </ul>
   <li>
    <a data-link-type="biblio">[FEATURE-POLICY]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-policy-controlled-feature" style="color:initial">policy-controlled feature</span>
    </ul>
   <li>
    <a data-link-type="biblio">[FETCH]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-concept-header" style="color:initial">header</span>
     <li><span class="dfn-paneled" id="term-for-concept-response-header-list" style="color:initial">header list <small>(for response)</small></span>
     <li><span class="dfn-paneled" id="term-for-concept-header-name" style="color:initial">name</span>
     <li><span class="dfn-paneled" id="term-for-concept-request-request" style="color:initial">request</span>
     <li><span class="dfn-paneled" id="term-for-concept-response-response" style="color:initial">response</span>
     <li><span class="dfn-paneled" id="term-for-concept-header-value" style="color:initial">value</span>
    </ul>
   <li>
    <a data-link-type="biblio">[HTML]</a> defines the following terms:
    <ul>
     <li><span class="dfn-paneled" id="term-for-browsing-context" style="color:initial">browsing context</span>
     <li><span class="dfn-paneled" id="term-for-browsing-context-container" style="color:initial">browsing context container</span>
     <li><span class="dfn-paneled" id="term-for-concept-document-feature-policy" style="color:initial">feature policy</span>
     <li><span class="dfn-paneled" id="term-for-the-iframe-element" style="color:initial">iframe</span>
     <li><span class="dfn-paneled" id="term-for-nested-browsing-context" style="color:initial">nested browsing context</span>
     <li><span class="dfn-paneled" id="term-for-concept-origin" style="color:initial">origin</span>
     <li><span class="dfn-paneled" id="term-for-process-a-navigate-fetch" style="color:initial">process a navigate fetch</span>
     <li><span class="dfn-paneled" id="term-for-attr-iframe-sandbox" style="color:initial">sandbox</span>
    </ul>
  </ul>
  <h2 class="no-num no-ref heading settled" id="references"><span class="content">References</span><a class="self-link" href="#references"></a></h2>
  <h3 class="no-num no-ref heading settled" id="normative"><span class="content">Normative References</span><a class="self-link" href="#normative"></a></h3>
  <dl>
   <dt id="biblio-dom">[DOM]
   <dd>Anne van Kesteren. <a href="https://dom.spec.whatwg.org/">DOM Standard</a>. Living Standard. URL: <a href="https://dom.spec.whatwg.org/">https://dom.spec.whatwg.org/</a>
   <dt id="biblio-feature-policy">[FEATURE-POLICY]
   <dd>Ian Clelland. <a href="https://www.w3.org/TR/feature-policy-1/">Feature Policy</a>. 16 April 2019. WD. URL: <a href="https://www.w3.org/TR/feature-policy-1/">https://www.w3.org/TR/feature-policy-1/</a>
   <dt id="biblio-fetch">[FETCH]
   <dd>Anne van Kesteren. <a href="https://fetch.spec.whatwg.org/">Fetch Standard</a>. Living Standard. URL: <a href="https://fetch.spec.whatwg.org/">https://fetch.spec.whatwg.org/</a>
   <dt id="biblio-header-structure">[HEADER-STRUCTURE]
   <dd>Mark Nottingham; Poul-Henning Kamp. <a href="https://tools.ietf.org/html/draft-ietf-httpbis-header-structure-14">Structured Headers for HTTP</a>. Draft. URL: <a href="https://tools.ietf.org/html/draft-ietf-httpbis-header-structure-14">https://tools.ietf.org/html/draft-ietf-httpbis-header-structure-14</a>
   <dt id="biblio-html">[HTML]
   <dd>Anne van Kesteren; et al. <a href="https://html.spec.whatwg.org/multipage/">HTML Standard</a>. Living Standard. URL: <a href="https://html.spec.whatwg.org/multipage/">https://html.spec.whatwg.org/multipage/</a>
   <dt id="biblio-rfc2119">[RFC2119]
   <dd>S. Bradner. <a href="https://tools.ietf.org/html/rfc2119">Key words for use in RFCs to Indicate Requirement Levels</a>. March 1997. Best Current Practice. URL: <a href="https://tools.ietf.org/html/rfc2119">https://tools.ietf.org/html/rfc2119</a>
   <dt id="biblio-rfc3864">[RFC3864]
   <dd>G. Klyne; M. Nottingham; J. Mogul. <a href="https://tools.ietf.org/html/rfc3864">Registration Procedures for Message Header Fields</a>. September 2004. Best Current Practice. URL: <a href="https://tools.ietf.org/html/rfc3864">https://tools.ietf.org/html/rfc3864</a>
  </dl>
  <h3 class="no-num no-ref heading settled" id="informative"><span class="content">Informative References</span><a class="self-link" href="#informative"></a></h3>
  <dl>
   <dt id="biblio-csp">[CSP]
   <dd>Mike West. <a href="https://www.w3.org/TR/CSP3/">Content Security Policy Level 3</a>. 15 October 2018. WD. URL: <a href="https://www.w3.org/TR/CSP3/">https://www.w3.org/TR/CSP3/</a>
  </dl>
  <aside class="dfn-panel" data-for="default-value">
   <b><a href="#default-value">#default-value</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-default-value">8.8. Get policy value for feature in document</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="required-document-policy">
   <b><a href="#required-document-policy">#required-document-policy</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-required-document-policy">4.2. Policies</a>
    <li><a href="#ref-for-required-document-policy①">6.2.2. Require-Document-Policy</a>
    <li><a href="#ref-for-required-document-policy②">7.1. Integration with HTML</a> <a href="#ref-for-required-document-policy③">(2)</a> <a href="#ref-for-required-document-policy④">(3)</a> <a href="#ref-for-required-document-policy⑤">(4)</a> <a href="#ref-for-required-document-policy⑥">(5)</a>
    <li><a href="#ref-for-required-document-policy⑦">8.1. Is policy compatible?</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="nested-context-required-document-policy">
   <b><a href="#nested-context-required-document-policy">#nested-context-required-document-policy</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-nested-context-required-document-policy">8.5. Create a required policy for a browsing context</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="declared-document-policy">
   <b><a href="#declared-document-policy">#declared-document-policy</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-declared-document-policy">8.1. Is policy compatible?</a>
    <li><a href="#ref-for-declared-document-policy①">8.2. Process response policy</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="document-policy">
   <b><a href="#document-policy">#document-policy</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-document-policy">4.2. Policies</a> <a href="#ref-for-document-policy①">(2)</a> <a href="#ref-for-document-policy②">(3)</a>
    <li><a href="#ref-for-document-policy③">6.2.1. Document-Policy</a>
    <li><a href="#ref-for-document-policy④">6.2.3. Sec-Required-Document-Policy</a>
    <li><a href="#ref-for-document-policy⑤">7.1. Integration with HTML</a>
    <li><a href="#ref-for-document-policy⑥">7.2. Integration with Fetch</a>
    <li><a href="#ref-for-document-policy⑦">8.3. Parse document policy</a>
    <li><a href="#ref-for-document-policy⑧">8.4. Serialize required policy</a>
    <li><a href="#ref-for-document-policy⑨">8.5. Create a required policy for a browsing context</a>
    <li><a href="#ref-for-document-policy①⓪">8.6. Create a document Policy for a browsing context from response</a>
    <li><a href="#ref-for-document-policy①①">8.8. Get policy value for feature in document</a> <a href="#ref-for-document-policy①②">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="serialized-document-policy">
   <b><a href="#serialized-document-policy">#serialized-document-policy</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-serialized-document-policy">7.1. Integration with HTML</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="policy-directive">
   <b><a href="#policy-directive">#policy-directive</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-policy-directive">6.2.3. Sec-Required-Document-Policy</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="request-required-document-policy">
   <b><a href="#request-required-document-policy">#request-required-document-policy</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-request-required-document-policy">7.2. Integration with Fetch</a> <a href="#ref-for-request-required-document-policy①">(2)</a>
    <li><a href="#ref-for-request-required-document-policy②">8.7. Should response to request be blocked due to document policy?</a> <a href="#ref-for-request-required-document-policy③">(2)</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="is-policy-compatible">
   <b><a href="#is-policy-compatible">#is-policy-compatible</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-is-policy-compatible">8.6. Create a document Policy for a browsing context from response</a>
    <li><a href="#ref-for-is-policy-compatible">8.7. Should response to request be blocked due to document policy?</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="process-response-policy">
   <b><a href="#process-response-policy">#process-response-policy</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-process-response-policy">8.6. Create a document Policy for a browsing context from response</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="parse-document-policy">
   <b><a href="#parse-document-policy">#parse-document-policy</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-parse-document-policy">8.2. Process response policy</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="serialize-required-policy">
   <b><a href="#serialize-required-policy">#serialize-required-policy</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-serialize-required-policy">7.2. Integration with Fetch</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="create-for-browsingcontext">
   <b><a href="#create-for-browsingcontext">#create-for-browsingcontext</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-create-for-browsingcontext">7.1. Integration with HTML</a>
    <li><a href="#ref-for-create-for-browsingcontext①">8.6. Create a document Policy for a browsing context from response</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="create-document-policy">
   <b><a href="#create-document-policy">#create-document-policy</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-create-document-policy">7.1. Integration with HTML</a>
   </ul>
  </aside>
  <aside class="dfn-panel" data-for="should-response-to-request-be-blocked-due-to-document-policy">
   <b><a href="#should-response-to-request-be-blocked-due-to-document-policy">#should-response-to-request-be-blocked-due-to-document-policy</a></b><b>Referenced in:</b>
   <ul>
    <li><a href="#ref-for-should-response-to-request-be-blocked-due-to-document-policy">7.2. Integration with Fetch</a> <a href="#ref-for-should-response-to-request-be-blocked-due-to-document-policy①">(2)</a> <a href="#ref-for-should-response-to-request-be-blocked-due-to-document-policy②">(3)</a>
   </ul>
  </aside>
<script>/* script-dfn-panel */

document.body.addEventListener("click", function(e) {
    var queryAll = function(sel) { return [].slice.call(document.querySelectorAll(sel)); }
    // Find the dfn element or panel, if any, that was clicked on.
    var el = e.target;
    var target;
    var hitALink = false;
    while(el.parentElement) {
        if(el.tagName == "A") {
            // Clicking on a link in a <dfn> shouldn't summon the panel
            hitALink = true;
        }
        if(el.classList.contains("dfn-paneled")) {
            target = "dfn";
            break;
        }
        if(el.classList.contains("dfn-panel")) {
            target = "dfn-panel";
            break;
        }
        el = el.parentElement;
    }
    if(target != "dfn-panel") {
        // Turn off any currently "on" or "activated" panels.
        queryAll(".dfn-panel.on, .dfn-panel.activated").forEach(function(el){
            el.classList.remove("on");
            el.classList.remove("activated");
        });
    }
    if(target == "dfn" && !hitALink) {
        // open the panel
        var dfnPanel = document.querySelector(".dfn-panel[data-for='" + el.id + "']");
        if(dfnPanel) {
            dfnPanel.classList.add("on");
            var rect = el.getBoundingClientRect();
            dfnPanel.style.left = window.scrollX + rect.right + 5 + "px";
            dfnPanel.style.top = window.scrollY + rect.top + "px";
            var panelRect = dfnPanel.getBoundingClientRect();
            var panelWidth = panelRect.right - panelRect.left;
            if(panelRect.right > document.body.scrollWidth && (rect.left - (panelWidth + 5)) > 0) {
                // Reposition, because the panel is overflowing
                dfnPanel.style.left = window.scrollX + rect.left - (panelWidth + 5) + "px";
            }
        } else {
            console.log("Couldn't find .dfn-panel[data-for='" + el.id + "']");
        }
    } else if(target == "dfn-panel") {
        // Switch it to "activated" state, which pins it.
        el.classList.add("activated");
        el.style.left = null;
        el.style.top = null;
    }

});
</script>